TERM_DEF // POST_QUANTUM_BITCOIN / SPHINCS_SLH_DSA
SPHINCS+ /
SLH-DSA
SLH-DSA
SPHINCS+ / SLH-DSA. NIST's hash-based PQ signature standard; large but with minimal algebraic assumptions.
This page sits in the Post-Quantum Bitcoin section — How Bitcoin plans to survive cryptographically-relevant quantum computers. Read on for what it is, why it exists, how it works under the hood, and what to watch out for.
This page sits in the Post-Quantum Bitcoin section — How Bitcoin plans to survive cryptographically-relevant quantum computers. Read on for what it is, why it exists, how it works under the hood, and what to watch out for.
WHAT_SPHINCS_SLH_DSA_IS
SPHINCS+ / SLH-DSA — at a glance
POST-QUANTUM BITCOIN
SPHINCS+ / SLH-DSA relates to Bitcoin's preparation for the day a sufficiently powerful quantum computer exists — one capable of breaking elliptic-curve cryptography in polynomial time via Shor's algorithm. NIST's hash-based PQ signature standard; large but with minimal algebraic assumptions. The threat is real but distant; the preparation is mostly research-level today.
Why it exists
DESIGN
Bitcoin signatures (ECDSA, Schnorr) rely on the hardness of the elliptic-curve discrete logarithm problem on the secp256k1 curve. A cryptographically-relevant quantum computer (CRQC) could solve that problem and forge signatures for any address whose public key has been revealed (i.e. spent from before). Bitcoin's response is to draft post-quantum signature schemes (lattice-based, hash-based) and migration paths so coins can be re-locked before CRQCs arrive.
HOW_IT_WORKS
Mechanism
HOW IT WORKS
Two threat windows matter. The first: pre-spent coins (those with revealed pubkeys, like P2PK from 2010) are immediately vulnerable to a CRQC — they should be migrated to address types that only reveal a hash. The second: during the brief window between a spending transaction reaching the mempool and being mined, the pubkey is public and could be attacked. The response is post-quantum signature schemes — FALCON, Dilithium, SPHINCS+, XMSS — each with size/speed/trust trade-offs.
1. CRQCs do not exist today. Best estimates put their arrival at 10–30 years away (probabilistic).
2. NIST is standardising post-quantum signature schemes (CRYSTALS-Dilithium, FALCON, SPHINCS+ as of 2024).
3. Bitcoin researchers draft BIPs for post-quantum-safe address types (e.g. hash-based signatures, lamport variants).
4. When CRQCs become imminent, a soft fork activates the new address types. New outputs use PQ schemes.
5. Users migrate funds from legacy addresses to PQ-safe addresses (this is the bottleneck — millions of UTXOs need to move).
6. Pre-spent / never-migrated coins ("Patoshi" UTXOs) become permanently at risk; they may need to be voluntarily burned or locked.
WORKED_EXAMPLE
Quantum threat surface for Bitcoin (today)
EXAMPLE
Vulnerable to CRQC today Safe from CRQC today
─────────────────────────────────────────────────────────────────────────────
P2PK outputs (early 2009/2010) : P2PKH unspent (hash, no pubkey on-chain)
~1–2M BTC, including most of P2SH unspent (hash of redeem script)
the Satoshi-era coins P2WPKH unspent (hash of pubkey)
P2TR unspent (pubkey is on-chain, but…)
Reused addresses P2TR after a spend → vulnerable like P2PK
Recently-spent address (until Cold storage that has NEVER been spent from
re-locked)
PQ signature scheme Size Speed Notes
CRYSTALS-Dilithium ~2.4 KB Very fast NIST primary lattice choice
FALCON ~700 B Fast NIST compact lattice choice
SPHINCS+ ~7 KB Slow Hash-based, ultra-conservative
XMSS ~2 KB Slow Stateful hash-based
KEY_PROPERTIES
DISTANT THREAT
CRQCs do not exist; consensus is 10+ years out. But "harvest now, decrypt later" attacks make planning today still wise.
HASH-PROTECTED
Bitcoin already hashes pubkeys for legacy addresses — coins are PQ-safe AS LONG AS they have never been spent from.
MIGRATION REQUIRED
STANDARDISED
NIST has published the first post-quantum signature standards (2024). Bitcoin BIP drafts are tracking the ecosystem.
COMMON_PITFALLS
Things that catch people out
PITFALLS
- "Quantum computers will break Bitcoin tomorrow" headlines are clickbait. Today's quantum hardware is many orders of magnitude away from cryptographically-relevant size.
- "Patoshi" coins from 2009/2010 are in P2PK outputs with public keys on-chain — these are the most exposed if/when CRQCs arrive.
- Don't migrate to "post-quantum" addresses promoted by random projects — wait for community-vetted BIPs and Bitcoin Core support.
- Quantum-resistant doesn't mean quantum-proof. PQ schemes are believed safe based on current cryptanalysis; nothing is mathematically certain at this stage.
RELATED_CONCEPTS
Other terms from Post-Quantum Bitcoin — click any to read its page:
TERMINOLOGY_INDEX
TERMINOLOGY
SPHINCS+ / SLH-DSA
NIST's hash-based PQ signature standard; large but with minimal algebraic assumptions.
Post-Quantum Cryptography (PQC)
Cryptography believed to resist attacks by future quantum computers.
Quantum Computing Threat
A sufficiently large quantum computer running Shor's algorithm could break ECDSA and Schnorr.
Shor's Algorithm
Polynomial-time quantum algorithm for factoring and discrete logs; breaks Bitcoin's signatures if scaled.
Lattice-based Cryptography
PQ schemes built on hardness of lattice problems (LWE, SIS); fast verification, moderate sig sizes.
Hash-based Signatures (PQC)
Signature schemes (SLH-DSA, XMSS) whose security depends only on hash function strength.
FALCON
NIST-selected PQ lattice signature scheme; ~666-byte signatures.
CRYSTALS-Dilithium / ML-DSA
NIST's primary PQ digital signature standard; ~2,420-byte signatures.