Should Satoshi Nakamoto’s Bitcoins Be Erased?

The quantum computer will pose a big dilemma. What to do with Satoshi Nakamoto’s bitcoins and other millions of lost BTC?

Bitcoin and the quantum threat

Bitcoin developer Agustin Cruz proposes a hard fork that would force everyone to transfer their BTC to addresses resistant to quantum attacks.

His BIP suggests a mandatory migration period from current Bitcoin addresses (i.e., addresses secured by ECDSA) to addresses resistant to quantum computers. After a certain date, bitcoins that have not moved will become unrecoverable.

Before addressing the philosophical and technical questions raised by this BIP, let’s emphasize that the quantum threat is not a fantasy.

For Microsoft, the quantum computer will be a reality within several “years, not decades”. Google and IBM also predict that the major technological breakthrough is closer than many think.

Scott Aaronson, a researcher with 25 years of experience in quantum computing, recently sounded the alarm:

I had until now been used to saying that we might, eventually, consider the necessity to migrate from elliptic curve cryptography to cryptographic systems plausibly resistant to a quantum attack. I think today the message must be: yes, clearly, worry. Have a plan.

Scott Aaronson, 2024

Pierre-Luc Dallaire-Demers, a researcher at the University of Calgary, estimates that “there are about five years left before a quantum computer can break the elliptic curve keys that secure bitcoins”.

It is therefore time to revive the debate.

The dilemma…

Should we prevent Google or Microsoft from taking control of bitcoins that have not migrated to resistant addresses? That is, the million bitcoins mined by Satoshi Nakamoto and the other two million BTC estimated to be lost?

Jameson Lopp published a long article on his blog weighing the pros and cons. The cypherpunk agrees with Agustin Cruz and recommends destroying BTC vulnerable to quantum computers. Here is his latest talk on the subject:

Pieter Wuille, the most experienced Bitcoin developer (25 BIPs), is on the same wavelength:

Of course bitcoins should be destroyed. If and when (and it’s a big if) the existence of a quantum computer capable of breaking cryptography becomes a credible threat, we will have no choice but to remove the ability to spend bitcoins secured by ECDSA cryptography. Otherwise, millions of BTC become vulnerable to theft. I don’t see how any currency can maintain any value in such a context. And this affects everyone, even those who have moved their bitcoins to resistant addresses [because this theft could lower the bitcoin price].

Pieter Wuille, 2025

Others, like the CEO of Tether, do not seem overly worried:

Resistant addresses will be added to Bitcoin before the quantum threat becomes serious. Everyone alive (and with access to their wallets) will transfer their bitcoins to this new type of address. All lost bitcoins, including those of Satoshi (if he is no longer alive), will be hacked and put back into circulation.

Paolo Ardoino, 2025

Did Satoshi Nakamoto want Microsoft to get hold of his bitcoins? Unlikely.

Incentive

Some point out that destroying bitcoins would deny the network’s foundations. First: resistance to censorship. No one should be able to deprive others of their bitcoins. Not to mention the sacred tradition of evolving the code through backward-compatible soft forks.

On the other hand, we would prevent several million bitcoins from falling into the hands of multinationals. Knowing that Microsoft recently refused to add bitcoin to its treasury.

Satoshi’s BTC are worth about 100 billion dollars. Those suspected to be lost forever are worth 250 billion. That’s a significant pot that Microsoft could pour into the markets.

These 350 billion could easily represent more than 2,000 billion when the quantum computer is fully operational. That’s more than Google’s market capitalization.

This leads us to another cornerstone of the Bitcoin matrix: financial incentive. The 21M BTC limit exists because we are financially incentivized not to change it. [It is with this argument that Bitcoin Core refused to filter ordinals, which are a source of income for miners].

Similarly, we are all incentivized that lost bitcoins, including those of Satoshi, never come back into circulation. Letting Microsoft sell millions of BTC impoverishes all bitcoin holders. Conversely, preventing Microsoft from accessing lost funds would worsen no one’s situation.

“No one”, or almost no one. Some absent-minded people will lose out, but whether by a hard fork or by the quantum computer, the result will be the same.

At the heart of Bitcoin cryptography

Now let’s get into the heart of the cryptographic matter. Bitcoin relies on hashing functions (SHA-256), but also on asymmetric cryptography. In the second case, it is also called “public key” cryptography. It is at the heart of transaction mechanics and would be vulnerable to a quantum computer.

The private/public key pairs to which BTCs are linked are constructed using the secp256k1 elliptic curve (ECDSA). It is these keys to which bitcoins are “attached” by a supposedly unbreakable mathematical relationship.

Creating a wallet means generating key pairs that are used to perform transactions (moving bitcoins from one public key to another). In jargon, we say that we create a “utxo”, that is, a small piece of code (a “script”). This script links a public key to an amount of BTC (a number). The principle is that only the corresponding private key can “unlock” the script to link the BTC to another public key, aka perform a transaction.

In short, a wallet does not actually contain bitcoins. It simply hosts private keys used to unlock utxos that all network nodes keep in memory. The fact is that the quantum computer could decrypt a private key from a public key thanks to Shor’s algorithm.

Now that we have said that, it is necessary to explain what types of Bitcoin addresses are vulnerable. Not all, in truth. Mainly affected are the very old P2PK (pay-to-public-key) type addresses. These addresses were simply the public key of the script.

Since then, things have changed. Public keys are no longer really public. They are obscured by passing through the SHA-256 hash function, which is resistant to the quantum computer.

Yes, but…

How long?

Yes, but public keys are publicly revealed at the time of transactions. In other words, if you spend part of a UTXO, the remaining BTC become vulnerable. This is one of the reasons why you should never reuse the same addresses.

In short, everyone will sooner or later have to manually move their BTC to new addresses. And this is likely to take some time since the network’s transaction throughput is limited.

Jameson Lopp estimates that it will take the equivalent of six months of block space to secure all BTC. Or even one month if we exclude microscopic UTXOs (dust utxo).

Of course, this is the ideal scenario. The process will surely take longer, if only due to rising transaction fees that will encourage some to postpone the deadline. All things considered, a migration period of four years seems necessary. After that, BTC still associated with old addresses will be lost forever.

In summary, if the moral dilemma posed by violating one of Bitcoin’s inviolable properties is troubling, game theory and financial incentives suggest that the choice will be made to forbid powers with quantum supremacy from claiming lost BTC.

The debate is likely to be fascinating. Don’t miss our other article on the subject: Bitcoin And The Quantum Threat.