SHA

balaena7

there are two components: 1. the mining procedure to find blocks relies on hashing (compiling a block, incrementing a nonce until enough leading zeros)... currently this is relying on SHA256... this is inherently not in danger in terms of quantum computing... and it can also be updated easily.. 2. signing transactions, verifying ownership... this relies on elliptic curve digital signature algorithm (ECDSA) and is not quantum safe... it could be updated to new ECDSA algorithms that are post quantum ... so new addresses would actually be safe... for everyone who is capable of moving funds to a PQ-ECDSA address this would be a good solution... the problem: what about addresses that do not transfer to PQ-ECDSA addresses, they would be looted by quantum computers at some point...

balaena7

there are two components: 1) the mining procedure to find blocks relies on hashing (compiling a block, incrementing a nonce until enough leading zeros)... currently this is relying on SHA256... this is inherently not in danger in terms of quantum computing... and it can also be updated easily.. 2) signing transactions, verifying ownership... this relies on elliptic curve digital signature algorithm (ECDSA) and is not quantum safe... it could be updated to new ECDSA algorithms that are post quantum ... so new addresses would actually be safe... for everyone who is capable of moving funds to a PQ-ECDSA this would be a good solution... the problem: what about addresses that do not transfer to PQ-ECDSA, they would be looted by quantum computers at some point...

stellarfirefly

Heard about the estimated 3-4 million lost $BTC that people already say exist? That's what happens when keys are lost or forgotten. Those satoshis are basically lost forever, barring a QC cracking SHA-256. But it also means greater scarcity and thus greater valuation for the $BTC that are not lost.

Heypisshands

It is now seen as a store of value to many and it might still be seen this way long into the future. In the near future, quantum attacks could force alot of global databases to run on a DLT, there are other cryptos that could faciitate this. The other cryptos would need to be really secure and would also need to be exceptionally efficient. Only one crypto is both the most secure (aBFT, SHA384) and at the same time it is the most effiicient, 1 billion transactions uses only 3000kwh. As the digital world evolves there could be a few cryptos that succeed for a long time.

Suitable-Brother-433

Have you ever heard that satoshi might be the NSA, who invented the SHA256 8 years before Bitcoin was born by a mysterious creator never known.

crunchyeyeball

> when sha encryption is finally breached SHA is not encryption. It's a hash function.

CBpegasus

With modern pay-to-public-key-hash (as opposed to the old pay-to-public-key) addresses, it is indeed the case that the act of receiving funds does not expose the public key on chain, only its SHA256 hash which is the address - and SHA256 hashes are not thought to be reversible by quantum computers. So yeah theoretically if you only receive funds you'd be safe - but you will want to spend eventually. Despite hodl culture, Bitcoin is only worth something if you're able to eventually use it. When you do use it, the public key does get exposed on chain. Now it is common wallet behavior to move any unspent funds to a new address, which is mostly meant to help with privacy but actually can help a bit with quantum security as the new address is again an address which only ever received funds and doesn't have its public key exposed. The issue though is the in-between period between sending the transaction out with the public key, until it is finalized - which is at least 10 minutes but can be more. In that time period a quick enough quantum computer could crack the key and try to get a different transaction accepted, say transferring all funds to a wallet owned by the QC's owner. It would be a while until quantum computers that are powerful enough exist, but we'll probably get there eventually and if Bitcoin doesn't change its signature scheme by then, no one will be able to transfer funds safely.

blueriverbear23

Yep one exploded and SHA259 is now unencrypted.

Pannycakes666

Did the bombs print more Bitcoin? Did they crack SHA256? Did they change Bitcoin in any fundamental way?

Sure_Hedgehog4823

There’s actually 0 evidence it was any of them. They were all involved but 0 evidence it was them. And they’ve all denied it lol. Not sure why CIA or government involvement gets people so worked up. In my opinion that is most logical considering NSA connections with SHA256.

GIGAbtcHodl

Quantum computers might crack Bitcoin’s ECDSA signatures someday, but a real threat is 10+ years away. Bitcoin can upgrade to quantum-resistant algorithms via soft forks, and hashing (SHA-256) is tougher to break. The network adapts - it won’t go to zero!

Particular-Edge-7666

you should probably be more concerned about the nuclear control systems that are also using SHA-256... i don't think it's going to be a problem.. encryption will evolve w/ it it goes both ways... But yeah if that hypothetical scenario were true, then all the nuclear missle control systems that are using it might be a bigger concern, the fact no one is worried about that tells me it's not actually realistic FUD it's just noise...

northernguy

You're getting down votes, but I [think.you](http://think.you) are exactly correct. You make a SHA cracking computer or whatever and immediately go rob a bank? FBI knocks on your door and you go to jail. If you don't tell anyone else, though and pick off a few wallets here and there, you become a trillionaire, but will need to convert to gold quickly before the news gets out.

TaxPossible5575

Quantum computing is definitely a valid concern, but it’s not a “BTC goes to zero” scenario. A few key points: 1. Quantum breaks a lot more than Bitcoin. If quantum computers could easily break current cryptography, it wouldn’t just be BTC—it’d be the entire internet: banking, military comms, SSL/TLS, credit cards, government secrets, everything. That’s a much bigger incentive for society to move fast on quantum-resistant cryptography long before it threatens Bitcoin specifically. 2. Bitcoin is adaptable. The cryptography used today (ECDSA, SHA256) could be upgraded via soft or hard forks to quantum-resistant algorithms (lattice-based, hash-based, etc.). Bitcoin has already upgraded critical parts of its protocol before (SegWit, Taproot). Changing signature schemes is technically challenging but very possible—especially if the alternative is obsolescence. 3. Quantum isn’t “right around the corner.” Practical, large-scale quantum computers that could break Bitcoin’s cryptography aren’t expected anytime soon. Estimates vary from decades away to potentially never. And cryptographers are already preparing post-quantum standards (NIST has finalists ready to deploy). 4. Economic game theory matters. Even if quantum computers existed, miners, devs, and users have every incentive to coordinate a rapid migration to post-quantum crypto. Bitcoin’s decentralization and network effects make that possible. So Bitcoin doesn’t just instantly go to zero in that world—it evolves. The real risk would be for anyone who reuses addresses or leaves coins in exposed public keys, but even that can be mitigated if upgrades are rolled out before quantum breaks become practical. TL;DR: Quantum is a threat to all modern cryptography, not just Bitcoin. Bitcoin has the adaptability, incentives, and lead time to transition to quantum-safe algorithms if/when needed.

snakefighting

I already had this debate so here are some facts that I’ve kept for these purposes: What quantum actually threatens: * **Elliptic Curve Digital Signature Algorithm (ECDSA)** Bitcoin uses ECDSA (over secp256k1) for wallet signatures. * **Quantum threat:** Shor's algorithm could, in theory, recover a private key from a public key in polynomial time. * This matters *only after* a public key has been revealed (e.g. when you spend coins). Funds at addresses that have never been spent from (hashes of pubkeys) are safer, since SHA-256 and RIPEMD-160 aren't easily broken by quantum at practical scale. ### 2. What Bitcoin can do * **Upgrade to quantum-resistant signatures** The main defense is to migrate from ECDSA to a post-quantum signature scheme (e.g. lattice-based like Dilithium, hash-based like XMSS, or multivariate/ quaternionic systems). * Bitcoin has a precedent: Taproot introduced Schnorr signatures via a soft fork. Similar governance and consensus could transition to PQ signatures. * Migration could be done gradually: wallets update, miners enforce, and eventually the network accepts only PQ signatures. * Current quantum hardware is nowhere close to breaking Bitcoin. Estimates suggest you'd need millions of stable qubits to run Shor's algorithm against secp256k1 in the necessary time window - far beyond 2025 capabilities. * Cryptographers assume at least a 10-20 year window before "large-scale" quantum exists, if ever. Bitcoin governance tends to move slowly, but it's widely acknowledged that a PQ upgrade will eventually be necessary. Yes, Bitcoin can defend itself. The primary move would be transitioning from ECDSA to a post-quantum signature scheme through a soft fork or similar upgrade. Until then, the best practice is to avoid reusing addresses. Quantum isn't an imminent threat, but the ecosystem is already preparing for post-quantum cryptography.

neiped

Why create the anti-dollar cryptocurrency as the government? Just because they were able to come up with the SHA-256 algorithm to upgrade the previous cryptography algorithms, doesn’t mean they have a monopoly on ideas to apply it or that they would do so in a way that Trojan horses the dollar.

Shift_Tex

I was researching SHA256 algorithm which was developed by the NSA. Why not go a step further if you’re the government?

nyetsub

Not yet. The algorithm isn't there yet. Shor's is only for finding factors. There's no algorithm for reversing the irreversible SHA because SHA is hashing (not encryption). Double SHA makes the impossible even harder.

sluuuurp

Pretty sure it’s impossible to avoid typing your passphrase into any electronic device, unless you’re running SHA256 by hand for every transaction. If you mean internet connected device, then yeah I kind of agree.

Alarming_Copy_4117

Quantum computing cracking the SHA-256

allnightscroller

Thanks for the response, but ignoring well-documented historical context around Bitcoin’s origins is, in itself, a form of selective propaganda. Bitcoin didn’t emerge in a vacuum. As early as 1996, the NSA published a paper titled “How to Make a Mint: The Cryptography of Anonymous Electronic Cash”, outlining most of the core principles Bitcoin would later use — anonymous transactions, proof-of-work, public key cryptography, and decentralized clearing mechanisms. Even SHA-256, Bitcoin’s foundational hash function, was developed by the NSA. That’s not a coincidence — it’s a familiar pattern: first military-grade innovation, then "public release" and civilian adoption. It happened with GPS, the internet, Tor — and now Bitcoin. Bitcoin’s whitepaper didn’t invent these ideas from scratch. It’s built on technologies like Hashcash (Back), b-money (Wei Dai), and Bit Gold (Szabo) — all either directly linked to government-funded cryptographic research or operating within adjacent academic-military spaces. Add to that the fact that “Satoshi” never revealed their identity, disappeared immediately after launch, and left their coins untouched to this day — this has all the hallmarks of a well-structured op, not a rogue genius coder. Bitcoin wasn’t a spontaneous revolution. It was a carefully deployed protocol. Not to destroy the system — but to back it up.

loupiote2

Not sure what you mean by password. Was it a wallet using a private key obtained by hashing a password through SHA256? Was it a wallet using a website or service?

Sammas41

You are confusing hashing and cryptography. SHA-256 is a hashing function, not a cryptographic one. Also SHA-256 is quantum resistant, quantum computers provide only a small speed boost if you are searching for collisions. Quantum computers break ECSDA which is the cryptographic algorithm used to sign transactions in Bitcoin. Anyway, raw public keys are not used anymore as Bitcoin addresses, now they used a different protocol to produce those addresses which involves ECDSA and hashing functions. Even if someone was able to break ECDSA, your bitcoin would still be safe because no one knows how to invert SHA-256 and quantum computers won't help you to do that, only very old wallets which used raw public keys addresses are in danger

waxwingSlain_shadow

Physical qubit counts have been roughly doubling every year or two, and are on track to “break cryptography”, specifically SHA-256, by about 2030. Except breaking SHA-256 requires *logical* qubits, too, which are growing or progressing or scaling whatever in the opposite direction; the pace is slowing. The development of *logical* qubits is such that it will never break SHA-256.

pop-1988

> In a deliberate effort not to pick blockchain favorites, the department put out Thursday's data via Bitcoin, Ethereum, Solana, TRON, Stellar, Avalanche, Arbitrum One. Polygon PoS and Optimism, identifying the transaction hashes for each in its announcement But Coindesk has some policy about not linking to the announcement. Here is the announcement, complete with txID hashes for each blockchain https://www.commerce.gov/news/press-releases/2025/08/department-commerce-posts-2nd-quarter-gross-domestic-product-blockchain For example, Bitcoin ... https://blockstream.info/tx/fcf172401ca9d89013f13f5bbf0fc7577cb8a3588bf5cbc3b458ff36635fec00?expand They didn't publish the PDF on blockchains. The published the SHA256 hash of the PDF. Immutable? Sure. But that won't stop El Presidente from firing any official who posts honest numbers

Txalata

In case it helps, I recovered an old Bitcoin Core wallet by guessing the password. A friend hadn't been able to access it for years because he forgot it. He gave me the SHA256 hash of the password, which can be obtained from the same file. The password is the one that can be generated by that hash, and that's what you have to guess. I spent a weekend with Hashcat and my RTX3070, several dictionaries and rule files, and a special dictionary completed by my friend with words that could be at least part of the password. First thing Monday morning, Hashcat found it :)

Crazy-Intern6500

"Сатоши Накамото" это те же люди что создали протокол шифрования SHA, загугли и сразу станет все понятно кто всем рулит

TheAudacityofHopium

I actually agree with you to an extent. It will take many decades before we have a quantum computer with enough stable qubits to be able to crack anything, including SHA256. But yeah - you should definitely refrain from being rude when someone disagrees with you. It makes more sense to just provide an explanation why they are wrong, and a source or a few sources to back it up. It doesn't need to be a verbose explanation, just enough to bolster your points.

MarketFireFighter139

Bitcoin uses cryptography, SHA256? That algorithm is what does the hashing of the network so we can all verify our transactions on blocks.

Heypisshands

I dont, i concentrate on the most likely to succeed long into the future. The most efficient (tiny amounts of power usage per transaction) combined with the most secure ( aBFT, SHA384) means you only need one token in your portfolio. Can you guess what it is yet?

the_fattest_mitton

This. 1. ‘Omg quantum computers’. Yea… but once QCs can break SHA-256, Bitcoin upgrades to SHA-512 and the chase continues. 2. If QCs are able to break SHA-256, we’ve got bigger problems than money. Breaking SHA-256 could mean hacking into almost anything. Nuclear warheads, nuclear power plants, the electric grid, hydropower, communications, GPS, security systems, everything. At that point, why take people’s money when you can deactivate an entire nation effectively removing them from global society.

Nefiji

Most cryptocurrencies are based on the secure hash algorithm, specifically SHA-256 or higher, which is still incredibly secure as of todays standards. Maybe quantum computers will make it obsolete one day, but blockchains will also be able to upgrade their protocols in time, too. So worrying about this now is like worrying about how your current computer OS will be outdated in 10 years from today. Duh, that's why we upgrade stuff.

Alfador8

Yes. You're right. The problem is that it would require a hard fork, and there isn't enough motivation (for good reason) currently to fork the network. Also, the quantum resistant algorithms are much less battle tested than SHA256. Why switch to an algorithm that is relatively unproven before it's necessary? By the time it becomes a more pressing issue, the quantum resistant algorithms will have had more time to prove themselves secure.

modrobert_

There is no advantage using quantum computers to brute force vanity SHA-256 hashes in Bitcoin, it's not related to symmetric ciphers. Securing the blocks in the chain relies on a one-way hash which has been brute forced to include leading zeroes (aka Bitcoin mining) by changing a nonce value. The more leading zeroes in the hash, the higher the mining difficulty.

modrobert_

There is no advantage using quantum computers to brute force vanity SHA-256 hashes in Bitcoin, it's not related to symmetric ciphers. Securing the blocks in the chain relies on a one-way hash which has been brute forced to include leading zeroes (aka Bitcoin mining) by changing a nonce value. The more leading zeroes in the hash, the higher the mining difficulty.

modrobert_

There is no advantage using quantum computers to brute force vanity SHA-256 hashes in Bitcoin, it's not related to symmetric ciphers. Securing the blocks in the chain relies on a one-way hash which has been brute forced to include leading zeroes (aka Bitcoin mining) by changing a nonce value. The more leading zeroes in the hash, the higher the mining difficulty.

bongosformongos

Because it's bs. Bitcoi. Can be updated too. It would need a fork to replace SHA but it's absolutely possible. And who the fuck wouldn't support a fork to keep their money secure? So there won't be that much of a hassle to get consensus.

zxr7

Here's one. But again, technicalities cannot be explained within a paragraph. OP needs to read the above books. It will take hours to get enlightened as it involves number if fields like: --Computer Science --Economics --Finance --Cryptography --Game Theory --Law --Philosophy --Ethics --Political Science --Cybersecurity --Software Engineering #### Here's a step-by-step explanation of how a Bitcoin transaction works from beginning to end, going from a simple view to more technical depth, one paragraph per topic: 1. How transactions are created and signed with private/public keys: When Alice wants to send 1 BTC to Bob, she uses her Bitcoin wallet (software) to create a transaction. Her wallet references previous transactions (called UTXOs — unspent transaction outputs) as the source of her funds. To authorize the transaction, Alice signs it using her private key. This signature proves ownership of the funds without revealing the private key. Bob’s public key (or more commonly, his hashed public key, i.e., his Bitcoin address) is used as the recipient in the transaction. The digital signature ensures the transaction is authentic and unalterable, and anyone can verify it using Alice's public key. 2. How transactions are broadcast to the network and stored in the mempool: Once Alice’s wallet creates and signs the transaction, it is broadcast to the Bitcoin network — essentially sent to nearby full nodes over the peer-to-peer (P2P) protocol. Each node that receives the transaction verifies it (e.g., checks that inputs are unspent and signatures are valid) and, if valid, stores it in a temporary area called the mempool (memory pool), which holds all pending transactions waiting to be confirmed. Transactions remain in the mempool until a miner includes them in a block. 3. How miners pick transactions and form a block: Miners are specialized nodes that gather transactions from their mempool to include in a new block. They typically prioritize transactions offering higher fees (satoshis per byte). A miner creates a block candidate that includes: a list of chosen transactions, a reference to the previous block (via its hash), a timestamp, and a special transaction called the coinbase transaction which pays the miner the block reward. The miner also prepares a block header, which will be used for the mining (Proof of Work) process. 4. How the nonce is generated and tested against the target difficulty: The miner’s main job is to find a value called a nonce (a random 32-bit number) such that, when hashed with the rest of the block header using SHA-256 twice, the resulting hash is less than a network-defined target value. This is what Proof of Work means. Miners iterate the nonce rapidly, hashing the block header each time, until they find a nonce that produces a hash lower than the target. Because the hash function is unpredictable, finding such a nonce is trial and error, requiring immense computational effort. 5. Who decides/assigns this target value (and how difficulty adjusts): The target value is not set arbitrarily; it’s derived from the network difficulty, which is adjusted every 2,016 blocks (roughly every 2 weeks). The goal is to keep the block time around 10 minutes. If blocks were mined too quickly in the last period, the difficulty increases (i.e., target becomes smaller); if too slowly, it decreases. This adjustment is automatic and calculated by all nodes based on timestamps in recent blocks. Thus, no central authority controls difficulty — it's algorithmically enforced by consensus. 6. How Proof of Work ensures consensus: Proof of Work ensures that only nodes which have done real computational work can propose new blocks. This discourages spam or malicious attempts to alter history. When a miner finds a valid nonce and broadcasts the block, other nodes quickly verify the work (easy to check, hard to do). The longest chain (most cumulative work) is considered the valid one. This decentralized, cost-intensive process makes it extremely difficult for any single entity to rewrite the blockchain, as they would need to redo the work of the majority. 7. How the block is validated by other nodes and added to the chain: Once a miner broadcasts a new block, other full nodes receive it and perform several checks: Is the hash valid (below the target)? Are all transactions valid? Does it properly reference the previous block? If the block passes validation, the node adds it to its local copy of the blockchain and removes the included transactions from its mempool. Then, the node propagates the new block to its peers. This ripple effect keeps the entire network synchronized with the latest agreed-upon chain. 8. How immutability is maintained (e.g., why changing one block breaks the whole chain): Each block contains the hash of the previous block in its header. This means that if you change anything in an old block (even a single bit), its hash changes, and thus the next block (which references that hash) becomes invalid. This effect cascades — you'd have to recompute the Proof of Work for that block and every subsequent block, which is computationally infeasible unless you control over 50% of the network’s hashing power (a 51% attack). This cryptographic linking makes the blockchain tamper-resistant and immutable. #####

pblokhout

Ha! I was about to write the exact same thing about the pen and paper until I read your comment. One thing though, doing SHA-256 by hand [is not easy](https://armantheparman.com/sha256/)!

alsoilikebeer

Quantum is usually not talked about as breaking the mining, as the difficulty is self regulated. Even if the entire world went to mine bitcoin with futuristic technologi it just turns up the difficulty. Quantum hacking to access old walleets is something that is talked about, but SHA256 that bitcoin uses is really really good and better than most of the worlds central banks and goverments use, so I would expect society to fall apart in other places before BTC. Bitcoin Core has also been developing quantum security for a while so I imagine it will be ready in good time.

CryptoMaximalist

Monero's CPU mined RandomX and Bitcoin's ASIC mined SHA256 would not have any crossover in hashrate capabilities. Bitcoin would also be at least 20x more expensive to attack

pop-1988

It doesn't affect Bitcoin in practice because there are no Bitcoin miners close to 50% The mechanism being discussed - secretly mining a series of blocks and releasing them all as a "surprise" to replace the chain tip - is useful for a few reasons 1. it defeats Satoshi's white paper mining risk calculations, because those calculations assume competition for each block, one block at a time. See section 11 "Calculations" 2. it defeats the double-spend victim's "wait 6 blocks" strategy if the replacement chain tip is more than 6 blocks long The definitive example of this method is the 2020 BTG double-spend attack https://gist.github.com/metalicjames/71321570a105940529e709651d0a9765 The theft works by depositing BTG to an exchange, buying BTC, withdrawing BTC - all during the regular miners making 6 blocks per hour. At the same time, the thief uses 51% mining hashes rented on NiceHash to mine 2 hours of blocks faster than the regular miners, and in these 14 blocks spending the same BTG to themselves instead of depositing it to the exchange. Then release the 14 blocks to the BTG node network. The nodes automatically replace that much of the chain tip because the new tip is a longer chain The thief gets to keep the BTG, and also keep the BTC bought on the exchange This worked on BTG because * BTG is not SHA256, not ASIC-mined, is only GPU mined * GPU mining hashes are available for rent on NiceHash and similar hash broker sites * BTG's price and hash rate means it only costs $1700 per hour to rent 51% hash rate for BTG * the exchange (Binance) wasn't smart enough to wait 30 blocks after receiving the BTG deposit (now they are) None of those conditions apply to BTC, but it's possible in the future, after the BTC price bubble bursts --- To clarify the Monero discussion, it's not possible there either, because Qubic doesn't control enough miners' hashes, and because its miners will switch from Qubic to another pool to prevent Qubic having 51% The pool only controls its miners' blocks if the miners don't switch pools. Qubic's malicious attempt drives away its miners Also Monero is CPU mined, not GPU mined, costs much more than a few thousand per hour to overtake the network, and because Monero CPU hashes are not easy to rent on NiceHash (at least, it's not possible to rent 51%)

Tip-Actual

there's also an infamous CME gap at $9.6k , yes that's $9.6k from back in 2020 ! Maybe we will close that once Quantum computers break SHA256 and BTC tanks...

Blockchainauditor

The process of mining is solving a "math" problem approximately every 10 minutes. "Proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits." \- [https://bitcoin.org/bitcoin.pdf](https://bitcoin.org/bitcoin.pdf) As such, your washing machine or garage door will likely not be "mining" themselves, although they might contribute cycles to a processing pool. They tend not to have the oomph to assemble transactions into a block, iterate through nonces, and come up with the compliant hash. That's not to say that solo miners haven't won block awards recently, or that your smart refrigerator might not somehow come up with a hash with the necessary number of leading zeroes before anything else.

rockpaperbanana

[https://www.bitaddress.org/bitaddress.org-v3.3.0-SHA256-dec17c07685e1870960903d8f58090475b25af946fe95a734f88408cef4aa194.html](https://www.bitaddress.org/bitaddress.org-v3.3.0-SHA256-dec17c07685e1870960903d8f58090475b25af946fe95a734f88408cef4aa194.html)

Illustrious-Boss9356

Yes, banks would not be able to operate anywhere close to the way they do today. But my point was they have an easy fix, due to their centralization of authority, to fix the problem presented by the poster above. Bitcoin doesn't have an easy fix due to its decentralized nature. There are definitive advantages centralized systems have over decentralized ones. There are also disadvantages. I'm just pointing out that banks ending because of the above scenario is not the case. Bitcoin is much more exposed to quantum computing risk (less so the SHA2 function but more the ECDSA used for public/private keys) than banks are.

longonbtc

Mining bitcoin is only worth it if you have access to very cheap electricity. You want to be paying less than 10 cents per kilowatt-hour. And then you need to buy at least one efficient SHA-256 hashing ASIC. For example, the [Bitmain Antminer S21 Pro](https://shop.bitmain.com/product/detail?pid=000202504181244499833ha86cWe068B) is an efficient SHA-256 hashing ASIC that is relatively affordable.

edwardblilley

Sorta but not really. I asked grok and chat gpt for fun and this is their answer(skip to conclusion for tldr): Quantum computers pose a potential threat to Bitcoin's security, but the situation is nuanced and depends on the state of quantum technology and Bitcoin's response to it. Key Points: 1. **Bitcoin's Cryptographic Algorithms**: - Bitcoin uses **ECDSA (Elliptic Curve Digital Signature Algorithm)** for securing private keys and signing transactions, and **SHA-256** for mining and hashing. - Quantum computers could theoretically exploit weaknesses in ECDSA using **Shor's algorithm**, which can efficiently solve the discrete logarithm problem. This could allow an attacker to derive a private key from a public key, potentially compromising wallets if quantum computers become powerful enough. - SHA-256, used in Bitcoin's proof-of-work, is considered more resistant to quantum attacks. While **Grover's algorithm** could theoretically speed up hash cracking (reducing the time to find a hash collision by a factor of the square root), the impact on mining or double-spending attacks is less immediate and would require an infeasible number of qubits and error correction. 2. **Current Quantum Computing Limitations**: - As of August 10, 2025, quantum computers are far from capable of breaking Bitcoin's cryptography. Current quantum computers have limited qubits (e.g., IBM's largest systems have around 1,000 qubits, while breaking ECDSA would require millions of high-quality, error-corrected qubits). - Error rates, coherence times, and scalability remain significant hurdles. Estimates suggest it could take 10–20 years (or more) for quantum computers to reach the scale needed to threaten Bitcoin. 3. **Bitcoin's Defenses and Adaptability**: - Bitcoin's protocol can be upgraded via **soft forks** or **hard forks** to adopt quantum-resistant cryptographic algorithms, such as **post-quantum cryptography** (e.g., lattice-based or hash-based signatures). The NIST has already standardized some post-quantum algorithms (e.g., CRYSTALS-Dilithium, FALCON) that could be integrated. - Many Bitcoin wallets use addresses derived from public keys only when spending, meaning private keys are not exposed until a transaction occurs. This limits the window for quantum attacks unless public keys are reused (a practice discouraged by best practices). - The Bitcoin community is aware of the quantum threat and could implement changes proactively if quantum advancements accelerate. 4. **Practical Risks**: - Even with a sufficiently powerful quantum computer, hacking Bitcoin would require targeting specific high-value wallets with exposed public keys, which is a targeted rather than systemic attack. - A quantum computer capable of running Shor's algorithm effectively would also threaten other cryptographic systems (e.g., RSA, HTTPS), making Bitcoin one of many potential targets. - Economic and logistical barriers (e.g., the immense cost of building and operating such a quantum computer) may deter attackers, especially if Bitcoin adapts. 5. **Timeline and Speculation**: - Experts estimate that quantum computers capable of breaking ECDSA are at least a decade away, likely beyond 2035, based on current progress (e.g., IBM, Google, and others' roadmaps). - Posts on X and web sources (as of my last data) reflect mixed opinions: some alarmist claims suggest Bitcoin is at risk soon, while technical analyses (e.g., from cryptography experts) emphasize that quantum computers are not yet a practical threat and Bitcoin has time to adapt. - For example, a 2023 analysis by the Quantum Resistant Ledger team estimated that a quantum computer with ~10 million qubits would be needed to break ECDSA in a reasonable timeframe, far beyond current capabilities. Conclusion: Quantum computers could theoretically hack Bitcoin by breaking ECDSA, but this is not feasible with current or near-future technology (as of 2025). Bitcoin's community can mitigate this risk by adopting quantum-resistant algorithms before quantum computers become a threat. For now, Bitcoin remains secure, but vigilance and protocol upgrades will be crucial in the long term. If you want me to dive deeper into quantum algorithms, post-quantum cryptography, or specific X posts on this topic, let me know!

CBpegasus

Grover gives a quadratic advantage on reversing hash and breaking symmetric encryption. But still it is unlikely it would "break" most algorithms. SHA-256 for example - the classic search can reverse a hash in about 2^256 steps, Grover's improves that to 2^128 - but that is still unfeasible, it would take more time than the age of the universe to run. Now the main thing SHA-256 is used for in Bitcoin is the PoW mechanism (mining) and the quadratic advantage of Grover's can throw a wrench into that - but that would only be relevant when there is a single quantum computer (can't really join forces with other quantum computers as Grover's doesn't parallelize) that can run Grover's steps as fast as about a square root of the hash rate of the entire Bitcoin mining network... That would take a while to reach. Shor's algorithm on the other hand can break the ECDSA signature scheme used by Bitcoin and go from public key to private key. That is somewhat mitigated by the fact that modern addresses don't have their public keys on the chain until you spend funds, but still old Satoshi-era wallets can become loot, and even modern wallets can be attacked on the time window between sending a transaction and when it is finalized. This might also take decades to be feasible, I really don't know. But is a much more real concern than Grover's.

ulam17

SHA-256 and BIP39 are “quantum safe” if you’re talking about what quantum computers are capable of at this moment. But if quantum computers become what they’re projected to eventually become, no cryptographic standard that currently exists is safe, and saying buzz words you heard on a brocast isn’t going to change that.

sluuuurp

What does that mean? If you’re talking about a superposition, no, it will quick collapse. If you’re talking about switching to a quantum-safe hash algorithm, that does make sense, but I think SHA-256 is already pretty quantum-safe as far as we know.

pop-1988

If you extract a list of all the addresses from the Bitcoin blockchain, it's quick to check whether each address for each derivation path is in this list, especially since the two main BTC derivation paths have the same RIPEMD160(SHA256(pubkey)) hash, stored slightly differently in the blockchain TXO There's a free app called BTCRecover. As well as brute forcing seed phrases, wallet passphrases and individual private keys, it implements the database shortcut described above

anon1971wtf

Bitcoin's decentralization at all time high. Meaning most people ever have closest proximity to buy ASICs to run all over the world and they obviously do, and next porential ASICs being produced are closer than ever to physical optimum of converting energy into SHA256 hashes - of current material science

CoinNerds

Well, either SHA-256 will become re-enforced for quantum computing, potentially an upgrade for the mining suite and the miners will give a consensus to upgrade the network hash. Or we will see a AI dystopian world where the first person to unlock it will be able to competently do a 51% attack and destroy the network by front running all the data and being able to program the hash out and front run the transfer location and drain any transactions that occur on the block that is being solved with Quantum Computing. Its a catch 22 scenario, we just need to pray who ever gets the GPU is not a tyranical fiat driven over-seer... Oh wait...

Zenedarr

Im very used to ppl having very irrational and hostile views when it comes to bitcoin. They just cant wrap their head around it, probably because they never really tried. It been declared dead 100s of times by the news media, and portrayed as a scam. Yet, it continues to do its job. Every 10 mins another block. Bitcoin is a scam for people that never took the time to read (and understand) the white paper. If you haven't, at least read it and try to understand it (I cant understand it for you). This will be difficult w/o fairly significant technical knowledge of computing/cryptography/math/distributed systems. Doubters of bitcoin wouldn't know (or care) what SHA256, Secp256k1, or ECDSA is referring to. They wouldn't know what a derivation path is, how to sign an address, or what the mempool is. They wouldn't know what a BIP is or the purpose of running your own node. Anyone that says bitcoin is a scam, is ironically just scamming themselves by failing to learn how lucky we are to have such a robust decentralized network that anyone can use to transfer value. We are lucky BTC was the first crypto and that it had time to get strong. It has secured its spot as the #1 crypto and the network effect will ensure this holds true. A shame people cant find the value of such a freedom serving protocol. In our ever increasing digital age you'd think this would be viewed as an obvious positive for the populace. Time will do that though. Bitcoin is here to stay. You Live You learn.

---Imperator---

The whole internet relies on SHA256. If it's cracked, there will be chaos

ThinCrusts

Hal Finney also published Reusable Proof of Work system in 2004.. I wouldn't put it past the NSA/CIA being somehow involved (department level or people who worked there) too as they have published papers relating to electronic decentralized cash pre 2000 and NSA having created SHA-256. I favor it being Hal and some of his colleagues/friends though.

ChillerID

I guess that he can control the narrative by asking the "right" questions. I wonder what Grok would have said about ECDSA instead of SHA-256.

ScampiGrinder

SHA 256 (on which the Blockchain is based on) is not really threatend. The real threat comes from shor algorithm by reversing a known public key to the corresponding private key. Which than exploit all funds on that specific address-public/private key combination

KarateKid84Fan

🔐 Estimating the Probability of Quantum Computing Cracking SHA-256 Let’s clarify what’s involved: ⸻ ⚙️ SHA-256 in a Nutshell • A cryptographic hash function widely used in Bitcoin, blockchain, and digital signatures. • It’s designed to be one-way, meaning you can’t feasibly reverse or “crack” it with classical methods. • Output: 256-bit hash (2²⁵⁶ possibilities ≈ 1.16 × 10⁷⁷). ⸻ ⚛️ What Quantum Computing Can (and Can’t) Do ✅ Quantum Advantage: • Grover’s Algorithm can search an unstructured space of N possibilities in √N time. • For SHA-256, that brings the effective security level from 256 bits to 128 bits. • This is still extremely strong — as strong as AES-128, which is still considered secure. ❌ Quantum Limitations (as of 2025): • Grover’s Algorithm doesn’t “crack” SHA-256 — it only speeds up brute force guessing. • SHA-256 is not broken by Shor’s Algorithm (which is used for breaking RSA/ECC). • A quantum computer capable of attacking SHA-256 with Grover’s Algorithm would need: • Around 10⁶ – 10⁷ logical qubits (not physical qubits — those are much more error-prone). • Millions of quantum gates per query • Extremely low error rates and fault-tolerant architecture. Current state-of-the-art quantum computers (as of 2025): • Have hundreds of physical qubits, not logical qubits. • No current machine can run Grover’s algorithm at SHA-256 scale. ⸻ 🧠 Bottom Line: SHA-256 is quantum-resistant for now. A quantum computer cracking it with Grover’s Algorithm would still take 2¹²⁸ operations, which is still infeasible for the foreseeable future. Estimated probability today (2025): 0% If your application uses SHA-256 (e.g., Bitcoin), it is currently safe from quantum attacks — but future-proofing (e.g., post-quantum cryptography) is worth monitoring for long-term planning.

choicehunter

Some major government or corporation will recover it someday in the future. I expect that the way this will play out is as follows: Sometime in the next decade or two, Bitcoin will transition to have quantum resistant wallets. Everybody will be recommended to move all of their Bitcoin from the legacy wallets to the new quantum resistant wallets before quantum computers advance to the point that SHA256 is at risk. Over a period of time, most people who are alive were active. Well have migrated. They're stacked to a quantum resistant wallet. Some years later, maybe even decades later. Who knows. Quantum computing will be be advanced enough that it can break SHA256. It won't be affordable by individuals, but there will be some major corporations, some governments, etc. That will have some. I expect that some of these will find all of the "lost" legacy addresses that never migrated to the new quantum resistant wallets, and they will retrieve them for themselves or their government or charity or whatever. I could totally see that happening in the very distant future. It's totally possible that "lost" Bitcoin won't be lost forever, but will Just be scavenged by large organizations with super quantum computers many decades from now. Basically like sunken treasure from a shipwreck. It might be Microsoft or Google or China or the US government that ends up "finding" This guy's "lost" Bitcoin stash. 🤯

cyclicalwand

If an address has never sent a transaction then the private key would not be exposed as incoming transaction is secured by a public key hash. Quantum computers would first have to break the hash function (RIPEMD-160 combined with SHA-256), which is currently considered quantum-resistant.

Ayrko

You are correct. After further research, it seems the bigger vulnerability lies in Bitcoin’s use of ECDSA (Elliptic Curve Digital Signature Algorithm) for transaction signatures. A sufficiently powerful quantum computer could break a 256-bit ECDSA key in hours or days, whereas breaking SHA-256 would take much, much longer. A post-quantum signature scheme such as hash-based or lattice-based signatures would definitely be the way to go.

No-Tradition4622

Ok, p2pk only consisted of the first 50-100 blocks before p2pkh was introduced. The VAST majority of Satoshi’s coins are locked behind p2pkh double hashed with RIPEMD-160 and SHA-256. They are MUCH more secure than most people think. Which is why corporations and governments are buying. They have geniuses to explain this to them. Follow the smart money my bros.

SShiney

Quantum got mad they cant hack SHA. Spiteful hobbit.

kadinshino

The only thing that scares me about the future is how seriously quantum computing is already being discussed. Cryptographers warn that RSA-2048 and similar asymmetric algorithms could be broken by cryptographically relevant quantum computers (CRQCs) as early as 2030, though most experts consider that timeline optimistic. In contrast, symmetric cryptography like SHA-256 holds up better: under Grover’s algorithm, its effective security is halved to \~128 bits, which NIST currently considers acceptable. The bigger short-term risk lies in asymmetric systems like RSA and ECDSA — the cryptographic foundations of Bitcoin, TLS, and digital identity. If IBM, Google, or other players achieve faster-than-expected quantum milestones, there’s a 10–20% chance of viable threats by 2035. Quantum mining, though speculative, could pose another risk. If Grover’s algorithm or future quantum acceleration techniques are applied to Bitcoin mining, entities with access to advanced quantum hardware, e.g., governments, tech giants, could vastly outperform classical miners. This could disrupt Bitcoin’s difficulty adjustment and further centralize mining power. AI compounds this. It's accelerating quantum hardware design, optimizing quantum error correction, and shortening time-to-deployment. Some forecasts (e.g., McKinsey) project a $72B quantum industry by 2035, with AI acting as a force multiplier. If Bitcoin hasn’t transitioned to post-quantum-safe signatures like Dilithium by then, it may be vulnerable. How possible is this actually I'm not sure.... Even using AI myself and seeing how far it's advanced since 2023 is just mind-boggling. Willsmith and the spegetti becoming hyper realistic from generated nightmare fuel.....

Larry_the_Kiwi

Well, SHA3 is as quantum-resistant as SHA2. We don't know of a "total break" as the quantum algorithm breaking, say RSA or Diffie-Hellman, is usually phrased. Hashfunctions are quite resistant against quantum computers and seem to remain secure when the hash value is long enough (not crazy long, 512 bits is perfectly fine). That's actually awesome. Hash functions are well studied and we know how to build asymmetric cryptographic primitives such as digital signatures from it. Meaning, we know how to build quantum computer resistant digital signature schemes :-))

superdagr

Here is chatgpt's take on this Yes, quantum computers could pose a threat to Bitcoin, but not immediately. The concern revolves around two main areas of Bitcoin’s security model: ⸻ 1. ECDSA Signature Vulnerability Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) to secure transactions. The public key is used to verify that a transaction was signed with the corresponding private key. • Quantum Threat: Shor’s algorithm (which runs on a sufficiently powerful quantum computer) can break ECDSA by deriving a private key from a public key. • Impact: • If a quantum computer can break ECDSA before a transaction is confirmed, it could steal the Bitcoin by forging a new transaction. • However, most Bitcoin addresses only reveal the public key once funds are spent, so unused addresses are safe for now. ⸻ 2. Hash Function Resistance Bitcoin mining uses SHA-256 hashing. • Quantum Threat: Grover’s algorithm can reduce the complexity of brute-force searching by a factor of √n. • Impact: • This gives only a quadratic speedup, not an exponential one, meaning quantum computers won’t break SHA-256 anytime soon. • Quantum advantage here is relatively minor compared to the ECDSA threat. ⸻ When Could This Be a Real Threat? Estimates vary, but breaking Bitcoin’s cryptography would likely require a fault-tolerant quantum computer with millions of qubits — something that may still be 10–20+ years away, depending on technological progress. ⸻ Can Bitcoin Be Upgraded? Yes. Bitcoin could migrate to quantum-resistant cryptography, such as: • Lattice-based cryptography • Hash-based signatures (e.g., Lamport, XMSS) • Multivariate cryptography This would require a soft or hard fork in the protocol — controversial but technically feasible. ⸻ Conclusion • Not a current threat. • Future risk, especially to spent addresses. • Mitigations are possible through protocol upgrades and best practices (e.g., using a new address for each transaction). Let me know if you want to see a timeline or technical breakdown of upgrade paths.

kallebo1337

public keys are SHA256 then RIPEMD160 hashed, checksum is double hashed. so yeah?

SmoothGoing

Double hashing is mining, yeah. No it's not to prevent exposure of any keys. SHA256(SHA256(Block_Header)) The second hash has something to do with mitigating length extension attacks.

UnderstandingLow3162

The only thing I can think of is if you figured out how to reverse-engineer a SHA256 hash in under 10 minutes (1hr+ at times) you could 'mine' the next block. By my understanding these quantum simulations are so theorhetical as to be completely un-useful. As for hacking a private key, yeh that's a totally separate challenge because of the elyptic curve, but you don't have the same time constraint, at least. For now, I sleep very easy at night.

CBpegasus

To the best of our knowledge and expectations, quantum computers won't "crack" SHA-256 at all. That doesn't mean the quantum threat does not exist - the main issue is ECDSA. The scenario grok refers to as "cracking" SHA-256 is being able to run Grover's search on it, which gives a quadratic advantage in search. That means that to fully reverse a hash (find a preimage that hash to a specific hash) you need to do around 2^128 steps instead of 2^256 - but that is still unfeasible to do, will take more than the age of the universe even if we assume the QC is as fast as the fastest processors today. The problem of finding collisions (two preimages that hash to the same thing) is a bit easier, takes 2^128 steps classically and 2^64 with Grover's search - that is still mostly unfeasible, but not quite "age of the universe" level and could maybe be done if we get quantum computers *very* fast. But even in this case, it's easy to just move to SHA-512. The issue which is unique to Bitcoin is mining. In mining the miners do a partial reversal of SHA-256 (trying to hit a range of preimages) which is just hard enough for the whole network to do it in 10 minutes. A quantum computer gets a quadratic advantage on that partial reversal too, and since mining is competetive it won't need to be extremely powerful to dominate. Still you would need a much more powerful quantum computer than we currently have or expect to have in the coming decades, and you can't even effectively "join forces" from several quantum computers because Grover's search doesn't parallelize well. So it looks like this isn't a concern for a while, but when it is it looks like it would change the landscape of mining significantly (much more than the CPU->GPU->ASIC transition), mostly for the worse it seems for decentralization and robustness. It's unclear if any kind of proof-of-work we know can work well with quantum. Anyway the real problem which is more pressing is the ECDSA signature scheme, which is what is used in Bitcoin to sign transactions using a private key, such that they can be verified with the public key. This signature scheme is thought to be possible to crack with quantum computers - going from public key to private key. Now there are modern algorithms which are thought to be quantum resistant, but there are some issues with moving Bitcoin to use them - you need people to willingly migrate to a quantum resistant wallet, as they need a new private key from the new algorithm. It's of course tough to rally everyone and for some it would not even be possible as they lost access to their keys. Quite a few of the early wallets whose public key is exposed would become "quantum loot" and there is some discussion over whether to let it be stolen or freeze those finds. Another issue is that the signatures in quantum resistant algorithms are much larger, and that's an issue with block space already being a premium.

CBpegasus

SHA-256 is not an encryption but a hash function, and it already is something that quantum computers cannot crack (to the best of our knowledge and expectations). The scenario grok refers to as "cracking" SHA-256 is being able to run Grover's search on it, which gives a quadratic advantage in search. That means that to fully reverse a hash (find a preimage that hash to a specific hash) you need to do around 2^128 steps instead of 2^256 - but that is still unfeasible to do, will take more than the age of the universe even if we assume the QC is as fast as the fastest processors today. The problem of finding collisions (two preimages that hash to the same thing) is a bit easier, takes 2^128 steps classically and 2^64 with Grover's search - that is still mostly unfeasible, but not quite "age of the universe" level and could maybe be done if we get quantum computers *very* fast. But even in this case, it's easy to just move to SHA-512. The issue which is unique to Bitcoin is mining. In mining the miners do a partial reversal of SHA-256 (trying to hit a range of preimages) which is just hard enough for the whole network to do it in 10 minutes. A quantum computer gets a quadratic advantage on that partial reversal too, and since mining is competetive it won't need to be extremely powerful to dominate. Still you would need a much more powerful quantum computer than we currently have or expect to have in the coming decades, and you can't even effectively "join forces" from several quantum computers because Grover's search doesn't parallelize well. So it looks like this isn't a concern for a while, but when it is it looks like it would change the landscape of mining significantly (much more than the CPU->GPU->ASIC transition), mostly for the worse it seems for decentralization and robustness. It's unclear if any kind of proof-of-work we know can work well with quantum. Anyway the real problem which is more pressing is the ECDSA signature scheme, which is what is used in Bitcoin to sign transactions using a private key, such that they can be verified with the public key. This signature scheme is thought to be possible to crack with quantum computers - going from public key to private key. Now there are modern algorithms which are thought to be quantum resistant, but there are some issues with moving Bitcoin to use them - you need people to willingly migrate to a quantum resistant wallet, as they need a new private key from the new algorithm. It's of course tough to rally everyone and for some it would not even be possible as they lost access to their keys. Quite a few of the early wallets whose public key is exposed would become "quantum loot" and there is some discussion over whether to let it be stolen or freeze those finds. Another issue is that the signatures in quantum resistant algorithms are much larger, and that's an issue with block space already being a premium.

Self_Blumpkin

Unless the new hashing algorithm is compatible with SHA-256, miners will absolutely not “quickly upgrade”. The first company to put out a new ASIC for the hashing algorithm will be rich though. As long as they don’t use it all to mine themselves like Bitmain did for so long with their BTC ASICs.

qrcjnhhphadvzelota

Hashes like SHA are not the weak point of crypto currencies. Asymmetric cryptography like RSA, Elliptic curve used for signing of transaction is. If i can issue transactions by pretending to be someone else, then i dont need to break the hashing. i just issue a transaction like any other transaction.

Odd_Lengthiness_2175

ECDSA is a much easier target than SHA-256 is. Mining and the mempool are not the immediate targets, Satoshi's wallets are. There's no easy fix - you either burn the old coins and coins with known public keys (by making them inaccessible if not moved by some migration date) or you do nothing and allow those old wallets to be drained. It's actually a massive controversy and the one thing I think could potentially end BTC's dominance in the crypto space.

Th3Zed

Let’s forget about the improbability of SHA-256 getting compromised, bitcoins ability to evolve beyond it and the fact that all financial institutions are also screwed in the event that it happens. Bitcoin is unique in that the moment it is cracked it becomes worthless. Congrats, you stole satoshis 1M bitcoin, or all 21M for that matter… and now there is no one to sell it to. Would require a Joker-like character to do it - any sane profit-focused criminal is better off trying to steal nearly anything else

f3lixtb

If quantum computer breaks the bitcoin cryptography or SHA-256, everything else will scramble, not just “crypto” or bitcoin… it applies equally to fiat. In such an extreme event, the centralized institutions managing fiat (central banks, governments, payment networks) would be severely disrupted. Just as Bitcoin would be inaccessible, fiat would be unusable without the structures that give it legitimacy. In both cases, value collapses when the supporting system collapses. Also, even if quantum computers eventually become powerful enough to mine faster, they wouldn’t be able to just mine all the remaining Bitcoin in a few days. The protocol is designed to adjust the difficulty every 2,016 blocks (roughly every 2 weeks), so if blocks start getting mined too quickly, the network would respond by making mining harder. That prevents anyone from speeding through the rest of the supply like that. And if something like that ever did start to happen, the network could fork, upgrade the protocol, or switch to a quantum-resistant algorithm. Bitcoin core algorithm isn’t static, it can adapt, like it has in the past with SegWit, Taproot, etc. So overall, it’s not really a realistic threat, and ironically it would hurt the attacker just as much as anyone else. The most realistic threat would be using quantum to break the ECDSA signatures and steal coins from previously-used wallets. But that’s not something current quantum tech can do… again, we’re probably decades away from it. Even if it happened, the community could fork the protocol to stop the damage, blacklist stolen coins, or move to quantum-safe cryptography. Another idea is that someone could mine way faster than the rest of the network and try to mess with block timings or reorganize the chain. That might cause temporary chaos, but the protocol would adjust the difficulty, and devs/miners would respond fast. Same with flooding the network with junk blocks, Bitcoin’s already been through a lot of those kinds of attacks and adapted. The thing is, if someone actually had that much quantum power and used it just to break Bitcoin, it would pretty much prove to the world that it’s time to move on to quantum-resistant tech. so in a weird way, it would accelerate Bitcoin’s evolution rather than kill it. So yeah, they could definitely create panic or crash the price short-term, but wiping out Bitcoin completely would be a lot harder than people think.

synthia331

Is there some form of encryption that we can use which is superior to SHA256 that quantum computing cannot crack?

Complex_Entropy

Grover's algorithm cannot realistically crack SHA-256, as it only gives a quadratic speedup from 2²⁵⁶ operations to 2¹²⁸, which is still very large. This is good because bitcoin does not have any ideal mechanisms to deal with a broken block hash function. Shor's algorithm, on the other hand, can crack ECSDA, but this is fixed by P2QRH and similar proposals.

re_use_me

He's asking the wrong question, it's not SHA256 that is vulnerable to quantum computers, but ECDSA. Forging signatures allows you to spend other people's coins and that's what Bitcoin must worry about

dmigowski

And bitcoin uses SHA256 twice to calculate the next block. That means, after you cracked a single SHA256 you can start over now and build your computer 100s times bigger.

SnooMachines7409

People here are dumb. Grover's algorithm theoretically improves the speed at which hashes can be found since Grover's algo reduces the search space of hashes from 2^256 to 2^128. It does not break SHA-256. This means miners using quantum computing will have an edge over ASIC miners.

False-Practice-6474

Also, if SHA-256 were meaningfully broken, the community could coordinate a soft or hard fork with a stop-date consensus, transitioning to a quantum- or AI-resistant encryption algorithm. It wouldn't be easy, but Bitcoin’s governance has handled forks before.

Solnse

Well, the people that didn't upgrade year values to 4-digits ran their own risks of unpredictable behavior. Those that don't upgrade to SHA-2 would be exposing their wallets to potential hacks at that point. In other words why *wouldn't* every node accept the upgrade to protect a multi-trillion dollar network?

phincster

Im not an expert in any of this, but this is my understanding of it all. The password that bitcoin uses is basically a math problem, SHA-256. The math problem is what bitcoin uses for its password verification. And not just bitcoin uses this encryption. For a modern computer to actually solve this math problem and break the code, it would take a longer time then the universe has existed. In theory though, quantum computers would be able to do computations at the quantum level where all of the computations could be done simultaneously. Time would no longer be a factor. If successful, it would mean a quantum computer could break any password or encryption. This would have huge ramifications for not just bitcoin, but everyone. As encryption of anything at all could no longer be guaranteed. Imagine a world where any password anything online cannot be guaranteed and no messages could be guaranteed to be secure.

Slav3k1

This. If the SHA is broken, bitcoin is least of our worries ...

United_Afternoon_824

We’re starting to drift outside the realm of my expertise, but my general understanding is SHA-512 is more secure. How much more I couldn’t really say. SHA-256 is faster and uses less resources which I think was a big part in why it was chosen.

lockduck1

No trying to sound stupid, but how more secure would SHA-512? And why is not already done?

soundssarcastic

SHA- 512 Ez fix

United_Afternoon_824

I don’t think you understand how SHA256 works.

realtag2025

Grok predicts that by 2035 the quantum computers will still not be able to crack SHA256 encryption that is used by Bitcoin(and a lot of other stuff) within a reasonable amount of time.

Get_the_nak

http://bicoin.dev/SHA-257_is_on_the_way/s

Leungal

I think you misread? They match each mnemonic word against the BIP-39 wordlist to retrieve its index (ranging from 0 to 2047), then convert each index into an 11-bit binary value. These 11-bit chunks are concatenated to reconstruct the full bitstream, which consists of the original entropy plus an 8 bit checksum derived from the SHA-256 hash of that entropy. Optionally the passphrase is then added and the whole thing is fed to PBKDF2 to derive the final 512-bit seed. In practice though, all you ever need when storing a BIP39 seed is the first 4 letters of each word, because they are all entirely unique and all you need to find the index in the wordlist. I was just trying to simplify it conceptually to the OP.

YRUbitchmade

Well Im glad someone on reddit knows. Refreshing to see actual facts. I always thought it was fishy the government created the SHA-256.

Pfdtup

With the cold card you can: Determine the 23 words with dice throws Enter them in the coldcard and it will calculate your checksum and give you the choice between 8 (24th possible words) With Ledger this is not possible, you have to calculate the checksum yourself. In my opinion it is impossible to calculate the checksum by hand because it requires the SHA256 of the 256 bits. You must therefore do this with a PC or smartphone offline... and not make any mistakes to avoid leaking the 256 bits determined with the dice. If the calculation of the checksum is false the seedphrase will be invalid because it does not comply with BIP39.

Skarial

SHA-256 is a cryptographic hash function designed to be one-way, meaning that, even with massive means, one cannot reverse a fingerprint (find the original message), nor find two different messages producing the same fingerprint (collision). It has resisted all known attacks for more than 20 years. And if a genius came up with a theoretical attack tomorrow, it would still take years for it to be applicable in practice. If SHA-256 were to be weakened, the community could very well replace it with another more robust algorithm, via a soft fork or a clean hard fork. Alternatives already exist (SHA3, BLAKE3, etc.).

the_rodent_incident

BTC got completely owned by big money. It's just a semi-regulated tech stock now. "Hijacking Bitcoin" book explains it pretty well. Everything else keeps slowly degenerating to nothingness, with an occasional scam pump. Crypto failed as P2P cash, and that is now more than obvious. Because it's too hard to on/off ramp it, or too volatile to be used as daily cash or even short term checking account. Some projects are clinging on, like XMR, but these are an anomaly, not the norm. Governments started to buy crypto. This will only end in tears. Someone will have to repay all these debts once BTC crashes to zero because some math genius kid or a quantum computer broke SHA256, or some contentious soft fork breaks the chain. A baby born today, will be adult in 2043. How much Bitcoin will this young person be able to buy? Forever growth is a myth. You eventually run out of resources, or fools to buy your bags.

SmoothGoing

SHA-256? Algo for bitcoin keys is ECDSA.

Admirable_Ice3247

A Base58Check-encoded address showing consistent partial matches across many attempts would be statistically improbable if it were happening beyond pure chance. But here's the thing: Bitcoin addresses aren't raw outputs of ECC or SHA-256 alone; they go through multiple layers, including SHA-256, RIPEMD-160, a version prefix, a checksum, and finally Base58Check encoding. So a “33% match” in address characters might feel significant, but it doesn’t necessarily imply proximity in key space. Base58 encoding isn't linear, and small character overlaps don’t mean the inputs are mathematically close. If your AI is consistently getting partial matches better than chance across millions of samples, then yes, that would be noteworthy. But you need to verify that your dataset is truly random and not biased; for example, if you’re sampling from a narrow subset of keys, burn addresses, or vanity address prefixes, the character distributions might not reflect the true address space. It’s also important to compare your results against a statistical baseline for random attempts, and ensure your parsing of Base58Check addresses is correct. Some characters appear more frequently than others due to the checksum and version byte structure, which can skew superficial comparisons. If the anomaly holds under careful scrutiny, but chances are this is due to random noise, encoding quirks, or flawed assumptions in the match criteria. Still, it's good you're probing it; asking these kinds of questions.