Hash-based signatures as Bitcoin’s post-quantum defence: risks from Taproot and xpub exposure

Two technical pieces analyse quantum-computing threats to Bitcoin’s secp256k1 signatures and evaluate hash-based signatures (HBS) as conservative post-quantum replacements for ECDSA/Schnorr. Both articles explain that Shor’s algorithm enables a quantum adversary to derive private keys from exposed public keys, while hash functions remain comparatively resistant (Grover’s square-root speedup). They review how Bitcoin output types affect exposure: P2PKH/P2WPKH and P2SH/P2WSH are relatively safe while unused (only a hash visible) but vulnerable when spending reveals a public key or redeem script; reused addresses and leaked BIP32 extended public keys (xpub) expand the attack surface. Taproot (P2TR) is singled out as especially high-risk because outputs directly encode a public key and can be targeted even if never spent. Multisig via OP_CHECKMULTISIG raises the attacker’s work (need to recover m-of-n keys), while key-aggregated Taproot multisig loses that multiplicative advantage. The articles list practical selection criteria for post-quantum signatures — key/signature sizes, statefulness, reusability, and performance — and introduce hash-based signature families (starting from Lamport) as well-understood conservative candidates built from secure hash functions. Finally, the author outlines a potential migration path that tries to improve Bitcoin’s quantum resistance without immediate consensus changes, while noting trade-offs (large keys/signatures, stateful schemes, UX and storage costs) and the remaining practical timeline uncertainty for when quantum attacks become feasible. Primary keywords: post-quantum, hash-based signatures, Bitcoin, Taproot, P2TR, BIP32, secp256k1. Secondary keywords: quantum adversary, Lamport signatures, address reuse, multisig, xpub.