Is Ethereum More Vulnerable to Quantum Computers Than Bitcoin?
Yes. Roughly 55 to 60 percent of all ETH value is in addresses that have already sent at least one transaction. Every one of those addresses has its public key permanently on-chain. Bitcoin protects roughly 70 percent of its supply behind cryptographic hashes. Ethereum has no equivalent protection. The structural gap between the two networks is large, underreported, and cannot be patched retroactively.
This is not a hypothetical future concern. Every ETH address that has ever sent a transaction is already in a state where a sufficiently powerful quantum computer could derive its private key without any further action from the user. The public key is on-chain right now.
To understand why, you need to understand how the two networks handle public key exposure differently at the protocol level — and why that difference compounds the quantum risk for ETH holders in a way that Bitcoin largely avoids.
How Ethereum's Account Model Works — and Why It Leaks Public Keys
Ethereum uses an account model. Every address on the network has a persistent balance, nonce, and state. When you send a transaction from an Ethereum address, the transaction includes your ECDSA signature over the transaction data. From that signature, the Ethereum network recovers and verifies your public key using the ecrecover function.
That recovered public key gets used to confirm the transaction is valid. The signature, and therefore your public key, is permanently recorded in the transaction data on-chain. Anyone can look at any transaction from your address and extract the full secp256k1 public key. It has been there since your first outgoing transaction.
This is not a bug. It is how Ethereum's signature verification was designed. There is no way to send a transaction on Ethereum without exposing your public key. Zero exceptions. That includes simple ETH transfers, DeFi interactions, NFT purchases, contract deployments, and every other on-chain action an Ethereum account can take.
How Much ETH Is Quantum Exposed?
Approximately 55 to 60 percent of all ETH value — roughly 60 to 65 million ETH at current issuance levels — sits in addresses that have sent at least one outgoing transaction. These addresses have their public keys permanently on-chain. Every single one of them is quantum-exposed in the full sense: a powerful enough quantum computer could steal the funds without the owner doing anything further.
The estimate derives from on-chain analytics of Ethereum's address activity. The Ethereum network has approximately 230 million addresses with non-zero balances. Of those, roughly 190 to 200 million have sent at least one outgoing transaction. The addresses that have never sent a transaction retain the same hash-based protection that a new Bitcoin P2PKH address has.
But the distribution of ETH value is heavily skewed toward active addresses. High-balance wallets, whale addresses, institutional custodians, DeFi power users, and long-term holders who actively manage positions have all sent transactions. The dormant addresses that have never transacted tend to hold smaller balances on average. When you weight the exposure by value rather than by address count, the 55 to 60 percent figure emerges.
For DeFi specifically, the exposure is effectively 100 percent. Every address that has interacted with a smart contract has sent at least one transaction, revealing its public key. Uniswap users, Aave borrowers, Compound depositors, liquid staking protocol participants — all quantum-exposed, by definition.
Why Does Ethereum's Account Model Create Quantum Risk?
Ethereum reveals your public key on-chain the first time you send any transaction, because ECDSA signature recovery is how the protocol verifies sender identity. There is no hash-protection layer between your first spend and full public key exposure. A quantum computer running Shor's algorithm can derive a private key from a known public key — making every Ethereum address that has ever sent a transaction a potential theft target once quantum hardware is capable enough.
The mathematics here are precise. Shor's algorithm solves the elliptic curve discrete logarithm problem in polynomial time on a quantum computer. ECDSA over secp256k1, which Ethereum uses, depends on the hardness of exactly that problem. Given your public key, a quantum computer with sufficient logical qubits can compute your private key.
Grover's algorithm also matters here: it provides a quadratic speedup for searching hash preimages. But Grover's speedup on keccak-256 is currently considered manageable — the effective quantum security remains around 128 bits. That is far safer than the elliptic curve vulnerability, which Shor's algorithm eliminates entirely.
The conclusion: for Ethereum addresses that have never sent, the quantum risk is moderate and manageable. For addresses that have sent even once, the quantum risk is equivalent to having your public key published publicly — which it has been.
Bitcoin's Different Architecture: Why ~70% of BTC Has a Quantum Safety Window
Bitcoin uses a UTXO model. Every unspent output locks funds to a specific spending condition. The most common conditions in use today are P2PKH (pay-to-public-key-hash) and P2WPKH (pay-to-witness-public-key-hash). In both formats, the locking condition commits only to a hash of the public key — not the key itself.
When you want to spend a P2PKH or P2WPKH output, you reveal the full public key in the transaction's unlocking script. At that moment, the public key is on-chain. But until you spend, the public key is hidden behind a hash. A quantum attacker would need to invert a 160-bit hash function to derive the public key from just the address — a problem that even quantum computers cannot efficiently solve.
This is the quantum safety window. Bitcoin outputs in P2PKH or P2WPKH format, in addresses that have never been used as a sender, retain this window.
According to recent academic research on Bitcoin quantum vulnerability, approximately 6 to 6.9 million BTC are meaningfully quantum-exposed right now. That includes roughly 1.1 million BTC in Satoshi-era P2PK outputs — the original P2PK format that writes the full public key directly into the output script, with no hash protection at all. And P2PKH and P2WPKH addresses that have previously sent transactions.
The remaining roughly 70 percent of circulating BTC supply sits in addresses that have never been used as senders. These outputs retain their quantum safety window. Ethereum has no equivalent to this 70 percent protected pool.
The Quantum Exposure Comparison: Bitcoin P2PK vs P2PKH vs Ethereum vs QuanChain
| Protocol / Format | Key Exposure Model | Quantum-Exposed Share | Protection Mechanism | PQC Upgrade Path |
|---|---|---|---|---|
| Bitcoin P2PK | Full public key in output script from creation | ~100% of P2PK outputs (~5-6% of BTC supply) | None. Key fully exposed. | BIP-360 P2QRH (proposed, not activated) |
| Bitcoin P2PKH / P2WPKH (unspent) | Public key hidden behind 160-bit hash until first spend | Near 0% (hash protects key at rest) | RIPEMD-160(SHA-256) hash — quantum safety window | BIP-360 P2QRH (proposed, not activated) |
| Bitcoin P2PKH / P2WPKH (spent) | Public key revealed in spending transaction | ~100% of spent outputs | None after first spend | BIP-360 P2QRH (proposed, not activated) |
| Ethereum (account model) | Public key revealed on first outgoing transaction | ~55-60% of all ETH value; ~100% of DeFi-active ETH | keccak-256 hash protects never-sent addresses only | EIP-7702 + PQC precompiles (post-2027, not yet scheduled) |
| QuanChain (ML-DSA-87) | Quantum-resistant public keys; SpendAndRotate limits on-chain exposure per transaction | ~0% (no classical ECDSA used) | ML-DSA-87 (NIST FIPS 204) + atomic key rotation on every spend | Native — no migration needed |
The table makes the structural asymmetry clear. Bitcoin's P2PKH design creates a meaningful quantum safety window for unspent outputs. Ethereum's account model eliminates that window the moment a user first transacts.
What Ethereum's Roadmap Says About This Problem
Ethereum's founder has not been silent on this issue. Vitalik Buterin has publicly discussed the quantum exposure problem created by the account model. EIP-7702, included in the Pectra upgrade deployed in May 2025, is partly a response. EIP-7702 allows externally owned accounts (EOAs) to temporarily delegate transaction signing to a smart contract, opening a path for post-quantum algorithms — but it does not protect the millions of existing EOA addresses that have already sent transactions.
Dedicated EVM precompiles for ML-DSA or SLH-DSA have been proposed but not yet scheduled for any Ethereum upgrade. The timeline for full PQC migration is post-2027 at earliest, and realistic timelines stretch to 2030 and beyond. Ethereum's post-quantum roadmap covers what is deployed versus what remains speculative.
NIST IR 8547 explicitly warns that organizations depending on ECDSA should begin migration planning immediately. The NIST recommended migration timeline does not accommodate a post-2030 transition gracefully.
The Irreversible Exposure Problem
Here is the element of this problem that gets the least attention: even a successful Ethereum post-quantum upgrade does not protect already-exposed addresses.
When your ETH address sent its first transaction in 2018, 2020, or 2023, your public key was written permanently to Ethereum's transaction history. The Ethereum blockchain is immutable. That transaction data will exist forever. When Ethereum eventually deploys post-quantum signature verification, it will enable future transactions to use quantum-resistant algorithms. It will not erase the past.
A quantum attacker in 2035 can look up every Ethereum address that has ever sent a transaction, extract the public key from the transaction history, and run Shor's algorithm against it. The fact that Ethereum has by then adopted ML-DSA for new transactions is irrelevant. The old public key is already on-chain. The old funds at that address are still vulnerable.
The only way to protect funds in a currently-exposed ETH address is to move them to a new address that uses post-quantum signing — before a quantum attacker reaches sufficient capability. That migration must happen proactively, before Q-Day, not after.
DeFi Amplifies the Exposure Problem
The DeFi context makes this worse. The majority of ETH value in DeFi protocols — Uniswap liquidity positions, Aave collateral, Lido stETH, Rocket Pool rETH, Maker Vault positions — comes from addresses that have actively interacted with those protocols. Every interaction is an outgoing transaction. Every outgoing transaction reveals the public key.
Smart contracts themselves add another layer. Many DeFi protocols are controlled by multisig governance or protocol-owned contract addresses. The human-controlled governance keys that can upgrade or drain those contracts have almost certainly sent transactions — meaning those governance keys are quantum-exposed. A quantum attacker could potentially compromise governance keys and drain protocol treasuries. Auditing smart contracts for quantum safety requires thinking about the full key exposure chain.
New ETH Addresses: A Misunderstood Safe Harbor
One nuance that most coverage gets wrong: new Ethereum addresses that have never sent a transaction are not quantum-exposed in the same sense.
An Ethereum address is the last 20 bytes of the keccak-256 hash of the public key. If an address has never sent a transaction, its public key has never been published on-chain. A quantum attacker looking at that address sees only the 20-byte hash. They cannot invert keccak-256 to recover the public key.
But this safe harbor has a catch. The moment you use that address to send anything, the public key is exposed and the protection is gone forever. In practice, ETH is useful only when you can spend it. A wallet you can only receive to and never spend from is not a functional wallet for most users. Bitcoin's UTXO model makes it natural to rotate addresses with each spend. Ethereum's account model has no equivalent — your address is fixed, your public key exposure is permanent after your first send.
MetaMask, the Dominant Ethereum Wallet, Has No PQC Capability
MetaMask has over 30 million monthly active users and currently has no post-quantum signing capability. Whether MetaMask is quantum-safe is a question most users have never thought to ask — and the answer matters more for Ethereum than it does for Bitcoin wallet users, precisely because of the account model exposure problem described above.
How QuanChain Solves This at the Architecture Level
QuanChain was built to eliminate this class of problem entirely. The network uses ML-DSA-87 (CRYSTALS-Dilithium) as its signature scheme — standardized by NIST in FIPS 204. ML-DSA is designed to be secure against quantum computers running Shor's algorithm. There is no classical ECDSA on QuanChain. The secp256k1 vulnerability does not exist in QuanChain's stack.
Beyond the signature algorithm, QuanChain's SpendAndRotate mechanism further limits key exposure per transaction. Every time a QuanChain account sends a transaction, the key material rotates atomically in the same operation. The old key is invalidated. The new key is installed. An attacker who records today's public key and gains quantum capability in five years will find that key is already retired — it no longer controls any funds.
This design also eliminates the irreversible exposure problem that affects Ethereum. On Ethereum, a public key that appears in a 2020 transaction is still a valid target in 2035. On QuanChain, a key that appeared in a 2026 transaction is already retired — it was rotated away at the time of that transaction. The full technical comparison between QuanChain and Ethereum covers the architectural differences in detail.