The Wavefunction of Value:
Quantum Money in a Post-Quantum Era

Bitcoin marked the advent of internet-native digital value. It provided an "electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party" [1], proving that scarcity could exist natively on the internet and ushering in a new era of decentralized value creation. Yet as we move deeper into the 21st century, new questions emerge about the long-term durability of cryptographically secure digital assets. How will quantum computing reshape the security assumptions that underpin today’s internet-native store of value? Do quantum computers challenge our notions of digital scarcity and trustless value? Is our cryptographic infrastructure truly built to withstand the computational paradigm shift ahead? And perhaps most interestingly, can Bitcoin survive the next 50 years?
Quantum technologies have moved beyond theoretical exploration into a rapidly advancing frontier. The industry is backed by over $42 billion in government investment aimed at driving research, commercialization and infrastructure development [2]. As this momentum builds, it is becoming increasingly clear that quantum computing is a technology with the potential to disrupt the cryptographic foundations of Bitcoin and other digital assets, while also raising deeper questions about the future of trust and economic value. Yet just as Bitcoin helped us reimagine money for the internet age, quantum computing offers equally radical ideas. Quantum mechanics, it turns out, offers us a framework for electronic cash that is secured not by cryptographic proofs, but by the irreducible properties of our universe.


Nakamoto’s Dilemma

Bitcoin relies on cryptography—that's what makes it a crypto currency. Its value is determined by the security of cryptosystems, specifically the hardness of the discrete logarithm problem used in ECDSA signatures and the collision resistance of SHA256 hashing. These assumptions remain extremely secure in classical computing environments but are less robust in the face of quantum computation.
Shor's algorithm, when implemented on a sufficiently large quantum computer, can efficiently break ECDSA by solving the discrete logarithm problem in polynomial time. This is exponentially faster than any known method using our computer architectures today [3]. While the term "polynomial time" sounds abstract, it is used to separate the possible from the impossible in computational terms. It represents algorithms that:

• Execute within reasonable time frames as input sizes grow (i.e., simply increasing the bit length of the problem isn’t a viable solution)

• Solves problems previously considered computationally intractable

• Transforms previously theoretical vulnerabilities into practical attacks

These implications are stark. Once large-scale quantum hardware is deployed, every unspent Bitcoin output with an exposed public key becomes vulnerable. Yet mitigating this risk is not straightforward. Upgrading Bitcoin’s cryptography presents significant technical and governance challenges. The network's governance moves slowly by design, and implementing post-quantum signatures would require wide consensus and broad coordination. Proposals such as BIP 360 [4] have suggested quantum-safe extensions, but discourse remains minimal and progress stagnant. This underscores a deeper, potentially systemic risk that Bitcoin will not be able to make the necessary changes in an appropriate amount of time. Notably, this concern was reflected in BlackRock’s recent amendment to the risk disclosure in its S-1 filing [5].
“While various actors in the Bitcoin community are taking steps to enable the uses of cryptographic algorithms that would be resistant to advanced quantum computers, there is no guarantee that new quantum-proof architectures will be built and appropriate transitions will be implemented across the network at scale in a timely manner; any such changes could require the achievement of broad consensus within the Bitcoin network community and a fork (or multiple forks), and there can be no assurance that such consensus would be achieved or the changes implemented successfully.”


Origins of Quantum Money

Long before Bitcoin, physicist Stephen Wiesner imagined his own novel form of currency. In his 1983 paper, Wiesner proposed exploiting the quantum mechanics of the no-cloning theorem to create non-counterfeitable money [6]. This leverages a central property of quantum physics where unknown quantum states cannot be perfectly copied. Unlike our current paradigm where data duplication is trivial, quantum information is resistant to perfect replication during states of superposition.
In Wiesner's scheme, each banknote contains a serial number paired with a quantum state represented as a sequence of qubits prepared in specific orientations known only to the issuing bank. When verifying a banknote, the banks measure each qubit in its corresponding basis. Any attempt to copy the note without knowing these bases would inevitably alter the quantum state, making forgery detectable and creating intrinsic scarcity.
This is a radical shift in monetary theory. For millennia, humanity has relied on scarcity that can be exploited—rare shells, precious metals, state authority, and eventually energy-intensive mining. Wiesner's concept introduced something fundamentally different: scarcity arising from properties of quantum mechanics. His scheme established two important properties:

• Non-clonability: A valid banknote cannot be copied, even in principle

• Verifiability: The issuer can definitively authenticate genuine notes

Wiesner proposed quantum money that required a central authority to verify it. Satoshi introduced digital money that could be secured by a decentralized network. This raises a natural question. Can we create quantum money that is both secure and decentralized?


Trustless Quantum Money

Despite its conceptual elegance, Wiesner's model faces practical limitations. Verification created both a scalability bottleneck and a central point of failure by requiring the bank to maintain an enormous secret database mapping serial numbers to their corresponding quantum states.
This challenge led to the development of trustless quantum money, a natural evolution of Wiesner's original idea. These systems allow anyone to verify a banknote's authenticity without requiring secret knowledge. The mint still generates quantum banknotes, but the verification procedure becomes public, preserving the crucial no-cloning property that prevents an adversary from creating duplicates that pass verification (solving the age-old double-spend problem). Several constructions for this model have since emerged:

• Hidden subspace states: Each banknote represents a superposition over a hidden subspace of a vector space. Verification checks membership in this subspace using some explicit information about the subspace A, but not enough information for counterfeit for sabotage even among colluders [7].

• Knot theory-based currencies: These encode banknotes as quantum states representing topological structures with invariant properties. Verification is performed using mathematical invariants like the Alexander polynomial [8].

• Walkable invariants: Quantum money schemes built from group actions that create superpositions over orbits, enabling public verification via projective measurements testing invariance under symmetry operations [9].

These constructions take important steps towards realizing practical implementations of quantum money that are scalable and trustless. Publicly verifiable schemes without disclosing quantum states solves the main problem in Wiesner's model while keeping its strongest feature, the no-cloning protection against counterfeiting. The challenge is now how to make these systems work in practice since quantum hardware still needs better error correction, longer coherence times, and more precise state preparation. But the core ideas are already in place. Trustless quantum money turns a centralized concept into a foundation for open and secure quantum financial systems and brings us closer to a future where value is protected by the laws of physics.


A Quantum Store of Value

Bitcoin arose from the ashes of the 2008 financial crisis in a moment when trust in institutions collapsed. It gave us digital scarcity anchored in proof-of-work and the conviction that money could exist natively on the internet. But as quantum computers advance, so do quantum adversaries. We stand at the confluence of exponential technological acceleration in every direction. Artificial intelligence and quantum computing compound in capability daily. Large language models approach general intelligence while quantum hardware crosses critical error-correction thresholds. Entire industries are reckoning to be redefined, and digital assets are no exception. The foundation of Bitcoin's trust-minimal design, its assumption of cryptographic hardness, begins to soften in this new world.
It’s time to reimagine digital money from quantum-first principles.
Quantum money offers one compelling vision. It’s not simple patchwork upgrades to existing infrastructure but a fundamental redesign of value as defined by physical scarcity. The search for a quantum-native store of value shouldn't be seen as rejecting Bitcoin but extending its legacy. Just as Bitcoin established the groundwork for digital value, quantum money lays the foundation for value in the quantum era. The question isn't whether we'll need monetary systems that survive the quantum era but whether we'll be ready when that future arrives.

If you are interested in preparing for this future, we invite you to: