Dr. Sarah ChenWhy Bitcoin Output Types Are Not Equally Vulnerable to Quantum Attack
Bitcoin has four main output types in active use: P2PK, P2PKH, P2SH, and P2WPKH (along with its Taproot variant, P2TR). Most Bitcoin users never choose between them directly. Your wallet software picks the format, and most modern wallets default to P2WPKH or P2TR.
But the format matters for quantum security in ways that are direct and specific. A quantum computer running Shor's algorithm needs your public key to derive your private key. Different output types make that key available at different times and in different ways. Understanding the distinction tells you exactly how much time you have, and whether you have any time at all.
P2PK: Public Key Permanently On-Chain
Pay-to-public-key (P2PK) was Bitcoin's original output format. Satoshi Nakamoto used it exclusively in Bitcoin's earliest blocks. In a P2PK locking script, the full public key sits directly in the output. A standard uncompressed P2PK output looks like this:
<pubkey> OP_CHECKSIG
The public key is 65 bytes for an uncompressed key (or 33 bytes compressed). It is readable by anyone inspecting the blockchain. It has been readable since the block was confirmed. There is no waiting period, no transaction required from the owner. A quantum attacker can extract the public key today and run Shor's algorithm against it as soon as they have sufficient qubit capacity.
The Coinbase 2026 quantum report estimated roughly 1 million BTC in active P2PK outputs. The largest single concentration is the estimated 1.1 million BTC in Satoshi's Patoshi-pattern blocks, all created as P2PK outputs with public keys fully visible since 2009.
P2PKH: Public Key Protected Until Spend
Pay-to-public-key-hash (P2PKH) replaced P2PK as the standard output format around 2010. In a P2PKH locking script, the output contains only a hash of the public key:
OP_DUP OP_HASH160 <pubkeyHash> OP_EQUALVERIFY OP_CHECKSIG
The pubkeyHash is RIPEMD-160 applied to SHA-256 of the public key. This is a one-way function: you cannot derive the public key from the hash alone. A quantum attacker inspecting an unspent P2PKH output sees only the hash. Shor's algorithm cannot work on a hash; it requires the actual elliptic curve public key.
The public key only becomes visible when the owner spends the output. At that point, the unlocking script includes both the signature and the full public key. Now a quantum attacker can see the key. But the transaction is already in the mempool, racing toward confirmation in the next block, typically within 10 minutes for a normally-priced transaction.
This 10-minute window is the quantum attack surface for P2PKH. It is a real risk if quantum computers reach the threshold needed to break elliptic curve cryptography, but it is a fundamentally different risk profile from P2PK. With P2PK, there is no race. With P2PKH, a fast enough quantum computer would need to win a 10-minute sprint.
P2SH and Multisig: Public Keys Hidden Until Redemption
Pay-to-script-hash (P2SH) works similarly to P2PKH from a quantum exposure perspective. The locking script contains only the hash of a redeem script. The full redeem script, including any public keys in multisig configurations, is only revealed when the output is spent.
A 2-of-3 multisig P2SH output, for example, hides all three public keys until the UTXO is redeemed. An unspent P2SH output gives a quantum attacker nothing to work with directly.
Once spent, all public keys in the redeem script are visible on-chain. If those same addresses are reused (new UTXOs sent to the same P2SH address), the hash of the redeem script is known but the script itself was already revealed. The quantum risk from address reuse in P2SH contexts is the same as the general address reuse problem discussed below.
P2WPKH and P2TR: Native SegWit and Taproot
P2WPKH (pay-to-witness-public-key-hash) is the native SegWit format. Like P2PKH, it commits to a hash of the public key in the output. The actual public key only appears in the witness data when spending. The quantum exposure window is the same approximately 10-minute mempool window as P2PKH.
P2TR (pay-to-taproot) is more complex. Taproot outputs commit to a tweaked public key directly in the output: the key-path spend case exposes this public key when spending, creating the same 10-minute window. However, Taproot's script-path spend option can hide the spending conditions entirely, revealing only the specific script branch used. This offers some structural advantages for post-quantum migration but does not change the baseline elliptic curve security of key-path spends.
A common misconception is that Schnorr signatures (which Taproot uses via BIP-340) are more quantum-resistant than ECDSA. They are not. Both rely on the hardness of the elliptic curve discrete logarithm problem. Shor's algorithm breaks both equally.
How Much BTC Is at Risk in Each Category?
Precise numbers require live blockchain analysis, but research published through early 2026 provides useful estimates:
P2PK outputs hold approximately 1 to 1.5 million BTC, with Satoshi's estimated 1.1 million BTC representing the majority. These are at immediate risk once a quantum computer reaches the required threshold, with no mitigation window available to owners.
P2PKH outputs represent a much larger share of total BTC: estimates range from 3 to 5 million BTC in unspent P2PKH UTXOs. Of these, any address that has been spent from at least once has its public key permanently on-chain, creating P2PK-equivalent exposure. The Coinbase 2026 report estimated roughly 2 million BTC in reused P2PKH addresses where the public key is already visible.
P2WPKH and P2TR outputs hold the majority of actively managed Bitcoin. Their quantum exposure is limited to the mempool window during spending. This is a genuine risk at quantum scale but a manageable one with protocol-level transaction broadcast changes.
P2SH multisig outputs represent several hundred thousand BTC. Their exposure pattern matches P2PKH: protected until the first spend, then keys are on-chain.
Address Reuse Turns Any Format Into P2PK-Equivalent Exposure
Address reuse is the practice of receiving Bitcoin to an address that has already been used to spend. When you spend from an address, your public key appears in the unlocking script of that transaction. It stays on-chain permanently.
If you then receive new Bitcoin to the same address, you have effectively created a P2PK-equivalent situation. The output is P2PKH or P2WPKH in format, but your public key is already on-chain from the previous spend. A quantum attacker has your key and can wait for an unconfirmed output to appear at that address, then immediately construct a competing transaction.
This is why the Bitcoin post-quantum response plan emphasizes address hygiene as a first-line defense. Every modern wallet generates new addresses automatically for each receive. Using that feature correctly eliminates the address reuse risk entirely, independent of any protocol upgrade.
How to Check Your Own Address Type
Bitcoin addresses encode their type in their prefix. Legacy P2PKH addresses start with 1 (example: 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf5a). P2SH addresses start with 3. Native SegWit P2WPKH addresses start with bc1q. Taproot P2TR addresses start with bc1p.
If your Bitcoin sits in a 1-prefix address that you have never spent from, your public key is protected by the RIPEMD-160/SHA-256 hash. If you have spent from that address even once, check the blockchain for your transaction. If your public key appears in the input's unlocking script, it is permanently visible.
For bc1q and bc1p addresses that have not been spent from, the public key remains protected. The quantum risk is limited to the transaction broadcast window when you eventually spend.
The practical guide to assessing your own quantum exposure covers these checks in detail, including how to identify whether specific UTXOs in your wallet have exposed keys.
The Bottom Line on Output Types and Quantum Risk
P2PK outputs are the highest-priority quantum risk: no time window, no mitigation available to owners, public keys fully exposed since the day the output was created. Roughly 1 to 1.5 million BTC fall into this category.
Reused P2PKH addresses are the second-highest risk category: public keys already on-chain, functionally equivalent to P2PK from an attacker's perspective. This affects an estimated additional 2 million BTC.
Fresh P2PKH, P2WPKH, and P2TR addresses (never-spent) carry only the mempool window risk: a genuine concern at quantum scale, but one that a combination of protocol changes and post-quantum signature schemes can address. The full picture of Bitcoin's quantum vulnerability covers what a network-level response to this risk would require.
