A Framework, Not an Alarm
The question of whether to move Bitcoin holdings in response to the quantum threat is genuinely difficult, and it deserves a structured answer rather than either reflexive dismissal or panic. The honest answer is that it depends on three specific factors: your address exposure profile, your holding horizon, and how you assess the hardware timeline. This post works through each of those factors in sequence and offers a practical risk hierarchy at the end.
One thing should be clear at the outset: the risk here is not symmetrical. The cost of acting early is low. The cost of acting late, if the threat materializes faster than expected, could be total. That asymmetry should inform how you weight uncertainty in this framework.
Step 1: Identify Your Exposure Type
Not all Bitcoin addresses carry the same quantum risk. The exposure varies significantly by address format and usage history, and the first step in any rational assessment is knowing which category your holdings fall into.
P2PK (Pay-to-Public-Key): These are outputs from Bitcoin's earliest years, predominantly 2009 through 2012. In P2PK, the full public key is embedded directly in the output script with no hash layer. The public key has been on-chain since the day the output was created, and it will remain there until the output is spent. Anyone holding value in P2PK outputs is in the highest-risk category without qualification. This includes most of the estimated 1.1 million BTC associated with Satoshi Nakamoto's early mining activity.
Reused P2PKH (Pay-to-Public-Key-Hash): P2PKH addresses hash the public key before recording it on-chain, which provides meaningful protection for unspent outputs that have never sent funds. However, the moment a P2PKH address is used to send Bitcoin, the spending transaction includes the full public key in its input script. That key is now permanently on-chain. Any P2PKH address that has ever sent a transaction and still holds a balance has a fully exposed public key. This is an extremely common situation: address reuse has been standard practice throughout most of Bitcoin's history.
Fresh bech32 or P2TR addresses that have never sent funds: These addresses expose only a hash of the public key. A quantum attacker would need to break the hash function rather than the elliptic curve to derive the key, and hash functions require Grover's algorithm rather than Shor's. The effective security is substantially better than exposed-key addresses. The protection exists only as long as the address has never sent any outgoing transaction.
The Vulnerable Wallets guide and the full vulnerability ranking by cryptocurrency provide detailed breakdowns of how these exposure categories map to specific wallet types and network histories.
Step 2: Assess Your Holding Horizon Against the Timeline
Your quantum risk is a function of both your exposure type and how long you intend to hold. A P2PK address holder planning to hold for thirty years faces a categorically different risk than a fresh bech32 address holder planning to sell within twelve months.
The hardware timeline for cryptographically relevant quantum computing is genuinely uncertain, but it is bounded. The Quantum Threat Calculator models three scenarios based on current hardware trajectories: a conservative scenario where the threat materializes in the 2040s, a moderate scenario centered on the 2030 to 2035 window, and an aggressive scenario where optimistic QLDPC code implementation and algorithmic improvements produce capable hardware by the late 2020s.
The compression of qubit requirement estimates over the past decade is the most important data point for calibrating your view. In 2012, breaking RSA-2048 was estimated to require billions of physical qubits. By 2022, optimized approaches had reduced that estimate by several orders of magnitude. The pattern of compression has been consistent, which is itself a reason to weight aggressive timeline scenarios more heavily than historical base rates would suggest. If your holding horizon extends past 2035, the moderate scenario is well within your planning window.
Step 3: Understand What Moving Actually Does and Does Not Fix
Here is the part that most guides on this topic omit: moving your Bitcoin to a new address is not a clean solution, even when it is the right thing to do.
When you spend from any address, the spending transaction must include your public key in its witness data so that nodes can verify the signature. This is a protocol requirement. The moment you broadcast a transaction from any address, including a fresh one you just created, your public key is visible in the mempool. It is confirmed on-chain when the transaction is included in a block.
The difference between a fresh address and a reused one is not that the fresh address avoids exposure entirely. It is that the fresh address has a smaller exposure window: the time between when you broadcast the transaction and when it is confirmed. During that window, a quantum adversary watching the mempool could theoretically derive your private key from the broadcast public key and submit a competing transaction. This requires significantly faster quantum computation than the long-range attack on stored funds, but it is not zero risk.
What moving achieves: it eliminates the long-standing, permanently archived exposure of a reused address. The new destination address, if it never sends funds, has no public key on-chain at all. That is a real and meaningful improvement. What moving does not achieve: it does not make your Bitcoin permanently quantum-safe. It converts a high-exposure situation into a lower-exposure situation.
The Practical Risk Hierarchy
Given the exposure categories and timeline analysis above, a practical priority order for action looks like this:
- P2PK holders should act now. The public key has been on-chain for years or decades. There is no marginal exposure created by moving. The only question is whether you do it before quantum hardware makes the computation economically feasible, and the hardware timeline says the window to act is measured in years, not decades. There is no rational case for waiting.
- Reused P2PKH holders should act on a medium-priority timeline. If your address has sent funds and still holds a balance, your public key is permanently on-chain. Move the balance to a fresh address that you commit to never reusing. Do this within the next twelve to twenty-four months if your holding horizon extends past 2030.
- Fresh, never-spent bech32 or P2TR holders are lowest priority but not zero risk. Your protection depends on continuing to never send from the address. If you need to spend, generate a fresh destination address for any change output and plan the transaction so that residual funds go to a new address you control.
The Exchange Custody Question
A common assumption is that holding Bitcoin on an exchange provides protection because exchanges manage their own security. This is incorrect with respect to quantum risk.
Exchange hot wallets are among the most exposed addresses on the Bitcoin network. They process thousands of transactions per day, meaning their public keys have been exposed many times over. They hold enormous balances in addresses with fully visible public keys. An adversary with quantum capability would view an exchange hot wallet as a high-value, already-catalogued target. Exchange cold storage is somewhat better, but there is no way for a depositor to audit the address formats or key management practices behind it. Self-custody in a fresh, never-reused address that you control is categorically safer than exchange custody for the specific purpose of quantum risk management.
Hardware Wallets: What They Help and What They Do Not
Hardware wallets generate and store private keys in a tamper-resistant secure element that never exposes the raw key material to connected computers. This is meaningful protection against a range of classical attacks: malware, phishing, compromised signing software. For quantum risk, the picture is more specific.
A hardware wallet helps with key generation: generating a private key in a secure environment reduces the risk that the key was compromised at creation. A hardware wallet does not help with on-chain exposure. If you use your hardware wallet to sign a transaction from a reused address, the public key appears on-chain exactly as it would from a software wallet. The exposure is a function of the protocol, not the signing device.
What a Responsible Migration Looks Like in Practice
A practical migration for a Bitcoin holder concerned about quantum risk involves three steps. First, generate a fresh wallet using a hardware device you have not used before, or derive a new set of addresses from a fresh seed. Second, move your holdings to those fresh addresses in a single transaction, being conscious that the spending transaction will briefly expose your old public key in the mempool. Third, commit to never reusing those new addresses: treat each address as a one-use receiving address for future deposits, and generate a new change address for every outgoing transaction.
This process does not make your holdings permanently quantum-safe. It puts them in the best achievable position within the constraints of the existing Bitcoin protocol. The timeline for executing this migration matters. Doing it when quantum hardware is three years away is meaningfully safer than doing it when it is six months away, because the mempool window risk is only dangerous if an adversary has quantum capability at the moment of broadcast.
The Longer-Term Answer
Address hygiene on existing blockchains reduces exposure but does not eliminate the architectural problem. Every spend on Bitcoin, Ethereum, and every other major classical blockchain exposes a public key. That is a protocol-level constraint that cannot be fixed by individual users changing their behavior.
The only complete answer to quantum key exposure is infrastructure that never places public keys on-chain at all. TADEQS implements this through atomic key rotation on spend, so that each spending transaction rotates the key material in the same operation, leaving no public key in the transaction record for an adversary to harvest. The consequences of Q-Day for Bitcoin are severe precisely because the architectural exposure is built into the protocol itself. The mitigation available to holders today is about reducing risk within that constraint, not eliminating the constraint.
The Asymmetry That Should Drive Your Decision
Return to the asymmetry from the opening. If you migrate to a fresh address now and the quantum threat never materializes, you have spent some time and transaction fees and experienced no loss. If you delay migration and the threat materializes faster than expected, you could lose your entire holding to an attacker who derived your private key from a public key that has been on-chain for years.
That asymmetry is not close. The cost of acting early is bounded and small. The cost of acting late is potentially unbounded. For any holder with a significant position and a multi-year holding horizon, the rational response to that asymmetry is to act sooner rather than later, to choose self-custody over exchange exposure, and to begin understanding what post-quantum blockchain infrastructure looks like for the long-term portion of their holdings.
