Satoshi Nakamoto defended Bitcoin's SHA-256 hash function in a July 16, 2010 Bitcointalk forum post, establishing security principles that remain active sixteen years later. Google Quantum AI revised its estimate in 2026, stating that breaking Bitcoin's elliptic curve would require approximately 500,000 physical qubits, down from earlier projections. Bitcoin developers merged BIP-360 in 2026 to introduce quantum-resistant pay-to-Merkle-root addresses starting with bc1z, while an estimated 7 million bitcoin in older address formats face potential exposure if quantum computing advances reach projected 2029-2035 timelines.
On July 16, 2010, Bitcointalk user bdonlan questioned whether Bitcoin's double SHA-256 hashing weakened security. Satoshi Nakamoto responded directly, comparing SHA-256 to the transition from 32-bit to 64-bit computing. Satoshi stated that computers ran out of 32-bit address space at 4 gigabytes, but nobody expects to run out of 64-bit space anytime soon, and SHA-256 operates on the same principle.
Satoshi also outlined an exit plan: if SHA-256 ever weakened, developers could implement a soft fork to a new hash function at a set block height, allowing old and new hashes to run side by side until every node upgraded. Bitcoin's market capitalization has since grown past a trillion dollars, with the network settling hundreds of billions of dollars in value daily, all relying on the hash function Satoshi defended in that single forum reply.
Bitcoin's code hashes data twice using SHA256(SHA256(data)), a method called SHA256d. Cryptographers Niels Ferguson and Bruce Schneier recommended this approach to block length extension attacks, a flaw in the Merkle-Damgard structure that SHA-2 uses. Miners hash block headers twice to meet the network's difficulty target, and nodes hash transactions twice to build Merkle trees. Wallets add a third layer using RIPEMD-160 over SHA-256 to shorten public keys into addresses.
The National Institute of Standards and Technology published SHA-256 in 2001 as part of the SHA-2 family. The algorithm requires roughly 2^128 operations to force a collision and roughly 2^256 to force a preimage. Sixteen years after Bitcoin's launch, no researcher has found a working collision, preimage, or second preimage attack against full SHA-256. NIST and independent groups such as ECRYPT-CSA continue to rate the full function as secure.
Google Quantum AI published research in 2026 that lowered the qubit count needed to break Bitcoin's elliptic curve to approximately 500,000 physical qubits. Current quantum machines operate in the range of 1,000 to 1,500 qubits. Researchers estimate a working quantum threat could materialize between 2029 and 2035, depending on progress in error correction.
Grover's algorithm speeds up brute-force search and, when run against SHA-256, cuts effective security from 256 bits to about 128 bits. Shor's algorithm poses a larger problem by targeting signatures rather than hashes. A quantum computer running Shor's algorithm could extract a private key from an exposed public key on Bitcoin's elliptic curve. An estimated 7 million bitcoin, close to 35% of supply, sit in addresses with exposed public keys.
Bitcoin developers merged BIP-360 in 2026, introducing a new address format called pay-to-Merkle-root addresses starting with bc1z, built around quantum-resistant signature schemes. A companion proposal, BIP-361, outlines how the network could eventually sunset older, exposed address types, though this proposal has generated more controversy.
Post-quantum signatures require more block space than the signatures Bitcoin currently uses. Researchers are testing hash-based signature schemes to manage the migration. Developers face the challenge of handling coins locked in old addresses whose owners are inactive or unreachable, including bitcoin tied to Satoshi's own early wallets.
SHA-256 remains untouched by any known attack, classical or quantum, and requires no immediate action from holders. Signature exposure represents the primary concern. Holders with coins in old-style addresses, or anyone who has reused a Bitcoin address, carry more exposure than users of modern output types with public keys that remain hidden until spending.
Satoshi closed the 2010 thread with a statement that any attack strong enough to break SHA-256 would likely damage stronger cousins like SHA-512, making a full break unlikely on its own. Bitcoin's defense relies on the ability to migrate before a threat becomes operational.
What did Satoshi Nakamoto say about SHA-256 on July 16, 2010?
Satoshi Nakamoto defended Bitcoin's SHA-256 hash function in a Bitcointalk forum post on July 16, 2010, comparing it to the jump from 32-bit to 64-bit computing and stating that the algorithm provides sufficient security margin. Satoshi also described a soft fork migration path to a new hash function if SHA-256 ever weakened.
How many qubits does Google Quantum AI estimate are needed to break Bitcoin's curve?
Google Quantum AI published research in 2026 revising the estimate to approximately 500,000 physical qubits to break Bitcoin's elliptic curve. Current quantum machines operate in the range of 1,000 to 1,500 qubits, with researchers projecting a potential quantum threat timeline between 2029 and 2035.
What does BIP-360 do for Bitcoin's quantum resistance?
BIP-360, merged by Bitcoin developers in 2026, introduces pay-to-Merkle-root addresses starting with bc1z that use quantum-resistant signature schemes. The proposal aims to protect Bitcoin holdings from future quantum computing threats by providing an address format that resists attacks from Shor's algorithm.
Related News
Bitcoin Tests $64,500 Resistance After Bouncing From $62,516 Low on July 18
ChatGPT AI Predicts Bitcoin $180K-$250K by End of 2026 from $63K
Bitcoin Technical Analysis: Projections Target $76K Rally Before Decline
Fidelity Analyst Sees Bitcoin Cycle Bottom as 40% Supply Turns Underwater