Dr. Sarah ChenHow Ordinal Inscriptions Work at a Technical Level
Ordinal theory assigns a serial number to each satoshi based on the order it was mined, following a specific numbering convention established by Casey Rodarmor's ord protocol. Inscriptions attach arbitrary content (images, text, JSON, HTML) to specific satoshis by embedding that content in the witness data of a Bitcoin transaction.
Technically, an inscription is created by spending a coin in a two-step process. First, a commit transaction creates a P2TR output that commits to a script containing the inscription data. Second, a reveal transaction spends that output, executing the script and embedding the inscription content in the witness field. The result is a satoshi carrying an inscription, stored in a P2TR (Taproot) output belonging to the creator's wallet.
All current major Ordinals wallets (Xverse, Leather, Unisat) use P2TR outputs for inscription storage by default. This means every inscription holder's Bitcoin sits in a Taproot address, with the specific quantum exposure characteristics of P2TR outputs.
P2TR Outputs and Inscription Holder Quantum Exposure
P2TR (pay-to-taproot) outputs commit to a tweaked public key Q directly in the output script. This public key is visible on-chain from the moment the output is created. As covered in detail in the analysis of Taproot's quantum safety properties, key-path P2TR spends expose the public key permanently and immediately, unlike P2WPKH which hides the key behind a hash until the first spend.
For inscription holders, this means: every inscription sitting in a P2TR output is associated with a public key that is already on-chain. A quantum attacker with sufficient qubit capacity does not need to wait for the inscription owner to initiate a transfer. They can derive the private key from the on-chain public key, construct a transfer transaction sending the inscription to an attacker-controlled address, and broadcast it.
The inscription itself (the ordinal sat with attached content) would transfer to the attacker's wallet. The original holder would lose both the inscription and the BTC dust carrying it.
Why High-Value Inscriptions Are Attractive Quantum Targets
The Ordinals market has produced inscriptions with significant value. Inscription #0 (the Genesis inscription, a pixel art image of a skull) and other early low-number inscriptions have traded for several BTC each. Rare satoshi categories (satoshis with specific ordinal numbers: first sat of a block, first sat of a difficulty adjustment period, etc.) carry premiums of 0.1 to 5 BTC depending on rarity tier.
The total market capitalization of Ordinals inscriptions reached approximately $1.2 billion at its 2024 peak. As of mid-2026, the market has contracted significantly, but high-value individual inscriptions remain attractive targets with specific, identifiable on-chain locations.
Unlike regular BTC UTXOs where the value is fungible and an attacker might prioritize by balance, inscriptions have non-fungible value attached to specific satoshis. An attacker with a list of high-value inscriptions and their current P2TR output addresses could target specific UTXOs rather than scanning all P2TR outputs. The publicly available ord indexer data provides exactly this targeting information.
Rare sat categories are especially precise targets. A satoshi classified as "uncommon" (first sat of each block) is worth roughly 0.05 BTC above its face value. A satoshi classified as "rare" (first sat of a difficulty adjustment period) commands premiums of 1 to 5 BTC. A "mythic" sat (the genesis block's first sat) is unique and has no market clearing price. All of these are identifiable by ordinal number, and their current custodial addresses are publicly visible via any ord indexer.
The Address Reuse Problem in NFT Markets
Ordinals trading involves frequent transfers: listings on marketplaces, sales, secondary transfers. Each time an inscription moves, the sending address's public key is revealed on-chain in the input's witness data.
The address reuse problem for Bitcoin quantum risk applies directly here. If an inscription holder has previously sent BTC from the same P2TR address (for example, by paying marketplace fees from their inscription wallet), their public key is now permanently on-chain. Any new UTXOs received at that address are immediately quantum-vulnerable, not just at-rest-vulnerable.
Ordinals marketplace infrastructure has historically been worse about address reuse than standard Bitcoin wallets. Some early Ordinals wallets did not automatically generate new receive addresses for each transaction. Users who bought, sold, and re-purchased inscriptions through the same wallet address over multiple transactions have compound exposure: their public key is confirmed on-chain, and their current inscription holdings at that address are immediately attackable.
Best practice for inscription holders is to verify that their current holding address has never been used as a sending address. This is checkable on any Bitcoin block explorer by looking at the address's transaction history. If any outgoing transaction exists from the address, the public key is exposed.
The Specific UTXO Model for Ordinals and Attack Mechanics
Ordinals tracks specific satoshis using FIFO (first-in-first-out) accounting within each transaction. The first satoshi of the first input corresponds to the first satoshi of the first output. This means inscription holders must be careful when spending UTXOs in the same wallet: accidentally spending the UTXO containing a valuable inscription (rather than a different dust output) would transfer the inscription without the owner intending to.
For a quantum attacker, this UTXO structure provides useful targeting information. The attacker knows exactly which UTXO contains the high-value inscription (from the ord indexer), knows the public key controlling that UTXO (from the P2TR output), and can construct a transaction spending that specific UTXO to their own address.
The attack does not need to be subtle. A quantum attacker with a valid private key can sign a standard Bitcoin transaction transferring the inscription UTXO. There is no script condition to satisfy beyond a valid Schnorr signature. If the key derivation happens faster than the victim's monitoring software detects and responds, the inscription is gone.
Unlike some theft scenarios in traditional crypto, there is no oracle to dispute or governance mechanism to revert. Bitcoin transactions are final. A valid signature spending the UTXO is all that is required.
Could Ordinal Protocols Migrate to Post-Quantum Signatures?
The ord protocol is an application layer built on top of Bitcoin. It does not require any Bitcoin consensus changes to define inscription indexing rules. Theoretically, the ord protocol could define a new address type preference for inscription storage that uses post-quantum-ready formats as they become available at the base layer.
Practically, the migration path for Ordinals is identical to the migration path for base-layer Bitcoin: it depends on BIP-360 (or a similar proposal) being activated at the consensus level and wallet software being updated to generate P2QRH outputs. The Ordinals protocol itself cannot create post-quantum outputs before the base layer supports them.
BIP-360's P2QRH output type, if adopted, would use ML-DSA (Dilithium) for signature verification. Inscriptions could be stored in P2QRH outputs once the format is supported. The transition would require inscription holders to transfer their holdings to new P2QRH addresses, which would itself involve a spend transaction that reveals the current secp256k1 public key in the process.
The migration transaction itself creates a brief quantum exposure window. For a standard Bitcoin transaction, this window is roughly 10 minutes. For an inscription holder moving a valuable asset, this 10-minute window may be acceptable or may be a concern depending on quantum hardware capabilities at the time of migration. Early migration, before quantum hardware reaches the threat threshold, eliminates this risk entirely.
What Inscription Holders Should Do Now
First, check whether your inscription holding address has any outgoing transaction history. If it does, your public key is on-chain and your holdings at that address are in a higher-risk category than standard P2TR outputs.
Second, use wallet software that generates new addresses for each receive. Moving your inscription to a fresh P2TR address that has never sent a transaction does not eliminate the key-path quantum exposure (the public key is still in the output), but it eliminates the compounding effect of address reuse.
Third, watch BIP-360 progress. The ability to hold inscriptions in post-quantum-resistant outputs requires base-layer changes. When those changes are available, migrating early (before quantum hardware reaches threatening capability) is significantly safer than waiting until migration is urgent.
The overall quantum vulnerability of Bitcoin places Ordinals holders in the same risk category as all P2TR output holders: key-path exposure is real and the timeline depends on quantum hardware progress. Inscription holders face an additional layer of risk from the identifiability and non-fungible value of their specific UTXOs. That combination of factors, known target, known address, non-fungible value, makes high-value inscription UTXOs among the most attractive targets for a quantum attacker optimizing for maximum value per attack.
