Home/Notes/Bitcoin vs quantum

Note · 2026-01-11

Your Bitcoin wallet vs quantum computers, who wins

Bitcoin uses ECDSA on the secp256k1 curve. Shor's algorithm breaks ECDSA on a sufficiently large fault-tolerant quantum computer. The interesting question is which addresses get drained first.

·~6 min read·900 words

Bitcoin's signing key uses ECDSA. Shor's algorithm breaks ECDSA. Once a CRQC exists, any address whose public key has been revealed (older P2PK, reused P2PKH addresses, in-flight transactions waiting for confirmation) becomes spendable by an attacker who knows only the public key. Estimates suggest 25 to 35 percent of all BTC sits in such exposed addresses. Migration paths exist (Taproot quantum-safe BIPs in design) but require coordinated network-wide action.

What Bitcoin actually uses

Three pieces of cryptography:

  • ECDSA on secp256k1, signs transactions to prove ownership.
  • SHA-256, hashes blocks for proof-of-work and addresses.
  • RIPEMD-160, additional address hash.

Of those, ECDSA falls to Shor's algorithm on a CRQC. SHA-256 and RIPEMD-160 take a square-root speedup from Grover's algorithm but are not catastrophically broken, doubling output size restores classical security margins.

The address-format question

Whether a CRQC can drain a Bitcoin address depends on whether the public key is visible. Walk through the address types:

  • P2PK (Pay to Public Key), the original Bitcoin format. Public key is in the output script. CRQC drains immediately.
  • P2PKH (Pay to Public Key Hash), modern legacy format. Output script contains only the hash. Public key is revealed only when a transaction is signed and broadcast. As long as you never spend from the address, the public key is hidden behind a hash function (Grover-resistant). The moment you spend, you reveal the key, exposing any change address that uses the same key.
  • P2SH and P2WPKH (SegWit), similar properties to P2PKH from a quantum-exposure standpoint.
  • Taproot (P2TR), uses Schnorr signatures on secp256k1. Same Shor vulnerability as ECDSA. Public key is in the output script directly, so the key is visible from the moment funds arrive. Less safe than P2PKH against quantum adversaries.

How much exposure is actually out there

Various estimates put the exposed-key BTC fraction at 25 to 35 percent of supply. This includes:

  • Early-mining P2PK outputs (Satoshi-era addresses, the Patoshi pattern)
  • Reused P2PKH addresses where a previous spend revealed the public key
  • Lost-key addresses where the key is exposed but the owner cannot move funds before an attacker would
  • Taproot addresses with funds sitting in P2TR scripts

The honest framing: a CRQC arriving on day X immediately enables an attacker to drain the exposed fraction. The remaining BTC sits behind hashes that are Grover-resistant for the time being.

What Bitcoin can do

Three classes of mitigation in active discussion:

  • Soft-fork BIPs introducing PQ signature schemes, likely lattice-based (Dilithium variants) or hash-based (SPHINCS+, large signatures). Allows new outputs to use post-quantum signatures.
  • Migration windows for existing UTXOs, BIPs that allow proven owners to move funds from legacy addresses to PQ-secured ones without revealing the legacy public key first. This is hard, requires zero-knowledge or custom proof systems.
  • Block-level burning of clearly-abandoned addresses, controversial. Probably never happens on Bitcoin proper.

Ethereum is further along on this conversation than Bitcoin. The Ethereum Foundation's PQC initiative (which I commented on for ReversingLabs in 2026) is studying lattice-based signature replacement for the validator key infrastructure first, then user-account transition.

The harvest-now-spend-later angle

An adversary today can: identify exposed-key addresses with non-trivial balances, store the public keys, do nothing else. The day a CRQC ships, that adversary signs draining transactions for every stored key, broadcasts them in priority order, and walks away with whatever they can clear before the network notices. The network does notice (transactions are public), but by the time defensive measures kick in, the damage is done.

This is the same threat-model shape as harvest-now-decrypt-later for TLS, applied to wallet keys instead of session keys.

What Bitcoin holders should think about

Three practical postures:

  • Use P2PKH, P2WPKH, or P2SH addresses, never P2PK or single-use Taproot. Never reuse addresses.
  • Track BIP discussions on PQ signature support. When activation lands, migrate.
  • Do not panic-sell. The CRQC arrival is years away by current estimates. The migration path exists. The ecosystem moves slowly but it does move.

The wider read

Bitcoin is a small fraction of the asymmetric-cryptography problem the world faces in 2026. The fact that Bitcoin is exposed at all is a useful illustration. The real story is that every long-lived signing key in production today, from CA roots to enterprise PKI to IoT device certificates, sits on the same Shor-vulnerable foundation. The migration is the same migration. See Post-Quantum Cryptography for the standing perspective.

Related

This article was originally published on Medium. The canonical version lives here.