Skip to content
English
More support
  • There are no suggestions because the search field is empty.

Understanding quantum-resilience for your Casa vault safety

Summary: This article addresses the safety of a vault from a quantum-resilience perspective when transactions are not signed with other keys and no sats are spent from the vault. 

Quantum-Resilience and Vault Safety

When considering the safety of your vault from a quantum-resilience perspective, it is important to understand how the Casa app manages your Bitcoin addresses and transactions.

Key Points:

  • Unused Addresses: In a multisig hierarchical deterministic (HD) wallet like Casa, each device generates unique public keys for each address. If you do not sign a transaction with the other keys and never spend any sats from the vault, the public keys associated with those unused addresses remain unrevealed.
  • Change Addresses: When you make a transaction, the Casa app utilizes "change" addresses. This means that the amount sent to a recipient is separated from the remainder of your balance, which is returned to a new, unused address. This process is crucial for maintaining quantum security.
  • Protection Against Quantum Threats: By automatically sweeping your balance to fresh, unused, unrevealed addresses, Casa ensures that your Bitcoin remains protected against potential future quantum threats. Only the public keys of addresses that you spend from are exposed on-chain, while the public keys of unused addresses stay hidden.

Conclusion

If you do not sign a transaction with the other keys and never spend any sats from your vault, it is still considered safe from a quantum-resilience perspective. The design of the Casa app inherently protects your funds by keeping unused addresses secure and unrevealed. If you have further questions or need assistance, feel free to reach out for support.

____________________________________________________________

Understanding Quantum Risk in Bitcoin and How Casa Protects Your Funds

Summary

Quantum computing represents a long-term potential threat to the cryptographic foundations of Bitcoin. While a cryptographically relevant quantum computer (CRQC) does not yet exist, the Bitcoin community, including us here at Casa, is actively preparing. This article explains what the quantum threat actually is, what it means for your bitcoin, and why Casa's self-custody architecture already provides meaningful protection today.

What Is the Quantum Threat to Bitcoin?

Bitcoin relies on elliptic curve cryptography (ECC), specifically the secp256k1 curve, to secure ownership of funds. When you hold bitcoin, you control a private key. From that private key, a public key is mathematically derived, and from the public key, a Bitcoin address is generated.

The security of this system rests on the elliptic curve discrete logarithm problem (ECDLP): deriving a private key from a public key is computationally infeasible for any classical computer. It would take longer than the age of the universe using today's hardware.

A sufficiently powerful quantum computer changes that equation. An algorithm called Shor's algorithm**, first published in 1994, can theoretically solve the ECDLP exponentially faster than classical methods. If a quantum machine achieves enough stable, error-corrected qubits to run Shor's algorithm in a practical timeframe, it could derive a private key from an exposed public key. This would allow an attacker to forge valid signatures and spend someone else's bitcoin.

** Shor's algorithm applies to the signature and public-key layer of Bitcoin, not to the mining/hashing layer. A separate algorithm called Grover's algorithm could theoretically speed up mining, but its impact is far less dramatic, roughly a quadratic speedup, which the difficulty adjustment would largely absorb.

How Far Away Is This Threat?

Current quantum computers are several orders of magnitude below the computational power required to run Shor's algorithm against Bitcoin's 256-bit elliptic curve keys. As of mid-2025, we are still in an era of noisy, error-prone quantum hardware with limited qubit counts.

However, uncertainty is the core issue. Billions of dollars in private and government capital are flowing into quantum computing R&D, creating what amounts to a technology race between major powers and tech companies. Progress could remain linear, giving us decades of lead time, or it could accelerate suddenly if a hardware breakthrough (such as scalable photonic chips) materializes.

As Casa co-founder and Chief Security Officer Jameson Lopp has noted, the threat timeline is less important than the preparation timeline. Bitcoin protocol changes take years to reach consensus, develop, activate, and propagate through the ecosystem. Even once a post-quantum cryptographic scheme is activated at the protocol level, it takes additional years for wallet software, hardware signing devices, and infrastructure providers to adopt it. This is why the conversation is happening now, the goal is to be five to ten years ahead of any real deadline.

Long-Exposure vs. Short-Exposure Attacks

Not all bitcoin is equally vulnerable. The risk depends on whether your public key has been revealed on-chain:

Long-Exposure Vulnerability

If your public key is sitting on the blockchain, because you've spent from an address before and reused it, or because you're using a legacy pay-to-pubkey (P2PK) output, or because you're using a Taproot address (which exposes the public key by default), an attacker has unlimited time to work on deriving your private key. These are the highest-priority targets. An estimated 4–5 million BTC currently fall into various categories of long-exposure vulnerability due to address reuse, legacy output types, and Taproot's design.

Short-Exposure Vulnerability

When you broadcast a transaction, your public key is briefly exposed in the mempool before a miner confirms it. A short-exposure attack would require a quantum computer fast enough to derive your private key and broadcast a competing transaction in that narrow window, likely minutes. This is a much harder attack to execute and is expected to be the last category of vulnerability to become practically exploitable.

Hash-Protected Addresses

Most modern Bitcoin address types, P2PKH, P2SH, P2WPKH, P2WSH (native SegWit), protect the public key behind a cryptographic hash until the moment you spend from that address. If you have never spent from an address, your public key has never been exposed on-chain, and it remains protected against long-exposure quantum attacks. This is a critical distinction.

What Does This Mean for Taproot Addresses?

Taproot (P2TR) addresses, introduced with Bitcoin's 2021 Taproot upgrade, made a design trade-off: the public key is directly embedded in the address rather than being hash-protected. This saved a small amount of block space (~8 vbytes per transaction) but inadvertently created long-exposure vulnerability to quantum attack.

BIP 360, authored by developer Hunter Beast, proposes a new output type, pay-to-tapscript-hash (P2QRH), that removes the elliptic curve key-path spend from Taproot addresses and introduces post-quantum signature algorithms. This would allow Bitcoin to preserve Taproot's scripting flexibility while closing the quantum vulnerability.

Currently, only about 100,000 BTC sit in Taproot addresses, a relatively small portion of the total supply, but this is an area the development community is actively working to address.

The Migration Challenge

Even after a post-quantum cryptographic scheme is activated on Bitcoin, every holder of bitcoin in vulnerable address types would need to move their funds to new, quantum-safe addresses. This is unprecedented in Bitcoin's history, no prior upgrade has required users to take action with their funds.

Jameson Lopp's Bitcoin Improvement Proposal outlines a phased migration approach:

  • Phase A — Reject sends to vulnerable outputs: Several years after activating a post-quantum scheme, the network would stop accepting transactions that send funds to quantum-vulnerable address types. Since there is no way to email or directly notify every Bitcoin user, this mechanism serves as a forcing function — if your transactions are being rejected, you'll be prompted to investigate and upgrade.

  • Phase B — Reject spends from vulnerable outputs: After an additional grace period, the network would stop accepting transactions that spend from quantum-vulnerable scripts entirely. This effectively freezes any remaining vulnerable coins to prevent a quantum attacker from scooping them up and dumping them on the market.

  • Phase C — Quantum-safe recovery: Ideally deployed alongside Phase B, this would allow legitimate owners to recover frozen funds by providing a zero-knowledge proof that they possess additional wallet information — such as the extended public key (xpub) and derivation path from a hierarchical deterministic (HD) wallet — that a quantum attacker, who only reverse-engineered a single private key, would not have.

This phased approach is designed to balance urgency with the reality that Bitcoin's ecosystem moves slowly and conservatively by design.

How Casa Already Protects You

Casa's multisig vault architecture provides several layers of quantum resilience today, even before any protocol-level changes are made:

  1. No Address Reuse - The Casa app automatically generates a fresh, unused address for every deposit and every change output. This is one of the most fundamental best practices in Bitcoin, originally recommended by Satoshi for privacy, and it turns out to be equally important for quantum security. Because your public keys are never exposed on-chain until you spend, your funds remain behind hash protection at all times.

  2. Change Address Hygiene - When you send a transaction from your Casa vault, the app automatically sweeps your remaining balance to a new, unrevealed change address. This means that even after spending, your unspent funds rotate into fresh addresses where the public keys have never been exposed.

  3. Hierarchical Deterministic (HD) Wallets - Casa uses HD wallet architecture (BIP 32), which means all of your keys are derived from a root seed through a deterministic derivation path. This is significant for quantum resilience because the proposed Phase C recovery scheme specifically relies on HD wallet data. If vulnerable funds are ever frozen at the protocol level, HD wallet users would have a path to prove legitimate ownership through zero-knowledge proofs, something a quantum attacker could not do.

  4. Multisig Architecture - Casa's 2-of-3 and 3-of-5 multisig vaults distribute signing authority across multiple independent keys stored on separate hardware devices and locations. While multisig does not inherently provide quantum resistance at the cryptographic level (each individual key still uses ECC), it does add practical security depth. An attacker would need to compromise multiple keys, not just one, to spend your funds.

  5. Non-Taproot Address Types - Casa vaults currently use address types that benefit from hash protection of public keys (not Taproot's exposed-key format), providing an additional layer of defense against long-exposure quantum attacks.

What You Can Do Today

While a cryptographically relevant quantum computer does not exist yet, good security hygiene now will put you in the strongest possible position:

  • Don't reuse Bitcoin addresses. This is the single most impactful step. If you use Casa, this is handled for you automatically.

  • Use a multisig vault for significant holdings. Casa's 3-of-5 and 2-of-3 setups distribute risk across multiple keys and devices.

  • Use an HD wallet. Virtually all modern wallets (including Casa) are hierarchical deterministic, which positions you for future quantum-safe recovery schemes.

  • Avoid Taproot-only wallets if quantum resilience is a priority. Taproot addresses expose your public key by default.

  • Stay informed. The quantum landscape is evolving. Follow developments around BIP 360 and related proposals. Casa will communicate any necessary actions to members as the ecosystem progresses.

The Bigger Picture

The greatest long-term threat to Bitcoin is not quantum computing itself, it's apathy. The Bitcoin community's ability to identify potential threats early, debate solutions openly, and coordinate upgrades proactively is what makes the network anti-fragile. Quantum preparedness is a test of that resilience.

The good news: serious technical work is underway across multiple fronts, from post-quantum signature algorithms (like the NIST-approved SLH-DSA) to novel approaches using hash-based schemes and zero-knowledge proofs for signature aggregation. These efforts aim not only to defend against quantum attacks but potentially to improve Bitcoin's throughput and efficiency in the process.

Casa will continue to monitor these developments closely and ensure that our members' self-custody experience remains secure, simple, and ahead of the curve. If you have questions about your vault's quantum resilience or need assistance, don't hesitate to reach out to our support team at help@team.casa .

Last updated: February 2026

Videos

Please see our founders discussing the quantum threat below.

 

 

 

 

Casa Help Center Footer

↓ Footer Preview ↓