Shell contends the network can be repaired and offers an alternative perspective on the recent quantum discussion.
(Dale Kaminski/Getty Images)A recent statement by Udi Wertheimer sparked widespread attention in cryptocurrency circles with the bold assertion that the Lightning Network is «hopelessly broken» in the era of quantum computing, claiming developers are powerless to stop it. This narrative spread rapidly, causing concern for enterprises that have invested in or are considering Lightning-based payment solutions.
This claim warrants a thoughtful and balanced reply.
Wertheimer is a well-regarded figure in Bitcoin development, and his core worry is valid: quantum computers, should they ever reach sufficient power, present a genuine long-term threat to the cryptographic foundations of both Bitcoin and Lightning. While this reality is acknowledged and actively addressed by the Bitcoin developer community, describing Lightning as «hopelessly broken» misrepresents the situation and fails to provide the clarity needed for informed infrastructure decisions.
Where Wertheimer’s analysis holds true
When establishing a Lightning payment channel, participants must exchange public keys with their counterparty. In a hypothetical future with cryptographically relevant quantum computers (CRQCs), a malicious actor who gains access to these public keys could theoretically employ Shor’s algorithm to calculate the corresponding private key and subsequently steal funds.
Understanding the actual scope of the threat
The danger is significantly more constrained and conditional than the notion that «any Lightning balance is vulnerable.»
First, open channels are secured by cryptographic hashes. The funding transactions utilize P2WSH (Pay-to-Witness-Script-Hash), which keeps the underlying public keys within the 2-of-2 multisig setup hidden on the blockchain as long as the channel remains active. Furthermore, Lightning transactions rely on HTLCs (Hashed Time-Lock Contracts), which depend on revealing hash preimages rather than exposing public keys. A quantum adversary monitoring the blockchain passively would not see the keys necessary for an attack.
The actual attack vector is much narrower: a forced channel closure. When a channel is closed and a commitment transaction is broadcast, the locking script becomes publicly visible for the first time, including the local_delayedpubkey, a standard elliptic-curve public key. By design, the node broadcasting this transaction cannot immediately access its funds; a CSV (CheckSequenceVerify) timelock, usually 144 blocks (approximately 24 hours), must first pass.
In a post-quantum scenario, an attacker monitoring the mempool could detect a confirmed commitment transaction, extract the exposed public key, run Shor’s algorithm to derive the private key, and attempt to spend the funds before the timelock expires. Force-closing HTLC outputs creates further windows, some as brief as 40 blocks, or roughly six to seven hours.
This represents a genuine, specific vulnerability. However, it is a timed race against an attacker who must actively solve one of the most complex mathematical problems in existence, within a strict timeframe, for each specific output they wish to compromise. It is not a silent, passive drain on all Lightning wallets at once.
The reality of quantum computing capabilities
A crucial detail often omitted from sensational headlines is that cryptographically relevant quantum computers do not currently exist, and the technological gap between today and the required capability is vast.
To break Bitcoin’s elliptic curve cryptography, one would need to solve the discrete logarithm problem for a 256-bit key—a number with roughly 78 digits—using millions of stable, error-corrected logical qubits over an extended period. The largest number ever factored using Shor’s algorithm on actual quantum hardware is 21 (3 × 7), accomplished in 2012 with substantial classical assistance. The latest record involves a hybrid quantum-classical factoring of a 90-bit RSA number, which is impressive but still approximately 2⁸³ times smaller than the scale required to break Bitcoin.
While Google’s quantum research is significant and worth monitoring, timelines discussed by serious researchers range from optimistic estimates in the late 2020s to more conservative projections for the 2030s or later. None of this implies «your Lightning balance is in immediate danger.»
Developers are actively working on solutions
Wertheimer’s characterization that Lightning developers are «helpless» contradicts the ongoing efforts within the community. Since December alone, the Bitcoin development community has introduced over five serious post-quantum proposals: SHRINCS (324-byte stateful hash-based signatures), SHRIMPS (2.5 KB signatures distributed across multiple devices, roughly three times smaller than the NIST standard), BIP-360, Blockstream’s hash-based signatures paper, and proposals for OP_SPHINCS, OP_XMSS, and STARK-based opcodes in tapscript.
The accurate narrative is not that Lightning is broken and unfixable, but that it, like Bitcoin and much of the internet’s cryptographic infrastructure, requires a base-layer upgrade to achieve quantum resistance—a process that is already underway.
Implications for businesses using Lightning now
Lightning currently handles real payment volume for major enterprises, including iGaming platforms, crypto exchanges, neobanks, and payment service providers, enabling global money transfers at fractions of a cent with instant finality. The question for businesses should not be whether to abandon Lightning due to a theoretical future threat, but whether the teams building Lightning infrastructure are aware of and planning for this challenge.
Based on the volume and quality of post-quantum research currently active in the Bitcoin development community, the answer is yes.
The Lightning Network is not helplessly broken. It faces the same long-term cryptographic challenge as the broader digital financial system, and it has a development community actively working to address it. This is a very different story from the one the headline suggested.
Note: The views expressed in this column are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates.