Bitcoin SecurityBeginner12 min read2026-07-16

Bitcoin Quantum Risk Assessment: Is Your BTC Safe?

TL;DR: Not all Bitcoin is equally exposed to quantum attack. Your risk depends entirely on which address types hold your BTC and whether you have ever spent from those addresses. P2PK outputs (Satoshi-era coins) and addresses from which you have already sent are fully quantum-exposed today. Unspent bech32 addresses that have never sent are safer, but still require migration before a cryptographically relevant quantum computer arrives. Check your addresses, move high-risk coins to fresh addresses, and do not reuse addresses after spending.

How a Quantum Computer Actually Attacks a Bitcoin Wallet

A quantum computer does not brute-force Bitcoin private keys by guessing. It runs Shor's algorithm against a public key to derive the corresponding private key mathematically, in polynomial time. The attack requires the public key to be known, either from an on-chain P2PK output or from a previous spending transaction. Without the public key, a quantum computer has nothing to work with.

This is the core insight that shapes the entire risk assessment: Bitcoin's quantum vulnerability is not uniform. It tracks public key exposure on the blockchain. Outputs that hide the public key behind a hash (P2PKH and bech32 unspent outputs) give a quantum adversary nothing to attack, at least until the owner spends from that address and reveals the public key on-chain.

The Webber et al. 2022 paper quantified the resource requirements: breaking a 256-bit elliptic curve key requires approximately 317 × 10^6 physical qubits with current error-correction approaches, with an attack window of one hour for the most aggressive scenarios, or 13 million physical qubits for a one-day attack. IBM's public roadmap is targeting tens of thousands of physical qubits in the near term. The gap between current capability and the requirement for Bitcoin attacks is real, but it is a gap on a closing curve.

An April 2026 report from the Coinbase Institutional Advisory Board estimated that approximately 6.9 million BTC are in addresses where the public key is already exposed on-chain and immediately vulnerable to a sufficiently powerful quantum attacker. This is not a worst-case scenario; it is the current state of the blockchain, readable by anyone who examines the UTXO set.

Bitcoin Address Types and Their Quantum Exposure Levels

Bitcoin has four main output types with meaningfully different quantum risk profiles. Understanding which type holds your coins is the first step in any risk assessment. The address format alone tells you the output type: addresses starting with 1 are P2PKH, addresses starting with 3 are P2SH, and addresses starting with bc1q or bc1p are bech32 (P2WPKH/P2WSH) or Taproot (P2TR).

P2PK (Pay to Public Key): This is the highest-risk output type. P2PK outputs, used extensively in the early years of Bitcoin including all of Satoshi Nakamoto's known mining rewards, encode the full 65-byte uncompressed public key directly in the output script. The public key is permanently visible on-chain without any spending transaction required. Every bitcoin in a P2PK output is fully quantum-exposed right now. A quantum computer with sufficient capability could derive the private key, create a valid spending transaction, and move those coins without any involvement from the original holder.

P2PKH (Pay to Public Key Hash) with prior spending: Standard Bitcoin addresses starting with 1. If you have ever sent bitcoin FROM a P2PKH address, the spending transaction included your public key in the input script. That public key is now permanently recorded in Bitcoin's transaction history. Any remaining balance in that address is quantum-exposed, because the public key needed to run Shor's algorithm is already on-chain. This exposure applies not only to the specific UTXO that was spent but to any other output that ever resided at the same address.

P2PKH unspent (never sent from this address): If you hold bitcoin at a P2PKH address and have NEVER sent any transaction from it, your public key is not on-chain. The address encodes the hash of the public key (HASH160, which is RIPEMD-160 of SHA-256 of the public key). A quantum computer presented only with this hash cannot invert it to recover the public key; inversion of SHA-256 by a quantum computer would require Grover's algorithm, not Shor's, and even Grover's attack on SHA-256 requires roughly 2^128 quantum operations, which is computationally infeasible for the foreseeable future. These outputs are relatively safe but not permanently so: they become exposed the moment you spend from the address.

Bech32 and Taproot (bc1q, bc1p): Native SegWit and Taproot addresses follow the same logic as unspent P2PKH. If the address has never been used as an input in a transaction, the public key is hidden behind a hash. Bech32 addresses use the same HASH160 construction as P2PKH for P2WPKH, so the quantum exposure dynamics are identical. Taproot (P2TR) outputs expose a tweaked public key in the output script, but this does not immediately enable an attack because the tweaked key alone does not reveal the private key path without additional information.

How to Audit Your Own Bitcoin Exposure

Auditing your personal bitcoin exposure requires answering three questions for each address you control: What output type is it? Has it ever been used as an input? And what is the current balance?

For addresses in your custody, start by listing every address in your wallet software and checking its transaction history using a block explorer such as mempool.space. For each address, examine whether it appears in any transaction's input section. If it does, the public key was revealed in that transaction and the address is quantum-exposed. A zero-balance address that has sent transactions is not at risk of theft (there is nothing to steal), but any new deposits to that address would immediately be exposed.

For hardware wallet users, the wallet's address book and transaction history will show which receive addresses have been spent from. Most modern hardware wallets automatically generate new receive addresses after each transaction, which limits exposure from address reuse. However, if you have been using the same address across multiple transactions (a common practice before HD wallets became standard), check your transaction history carefully.

The QuanChain vulnerable wallet checker provides a straightforward tool for assessing quantum exposure by address without requiring any account or login.

One important caveat: exchange-held bitcoin is assessed by the exchange's own address management. If your bitcoin sits on Coinbase, Binance, or another custodian, your quantum exposure is the exchange's problem to manage, not yours directly. But you are trusting the exchange to perform that management competently, which is a separate risk worth factoring into custody decisions.

The Harvest-Now-Decrypt-Later Timeline for Bitcoin Holders

The harvest-now-decrypt-later (HNDL) threat means that the quantum-exposure risk is not limited to the future moment when quantum computers become capable. It begins the moment your public key appears on-chain, because sophisticated adversaries can record that data and wait. The question is not just "will quantum computers be able to attack my address?" but "will they be able to attack it before I move my coins?"

Based on the Webber et al. 2022 analysis and the IBM quantum roadmap, credible estimates for a cryptographically relevant quantum attack on a 256-bit elliptic curve key (the type used in Bitcoin) range from the mid-2030s to the early 2040s. The lower end of that range is roughly ten years from now. Bitcoin transaction finality is measured in hours; migrating a wallet from a quantum-exposed address to a fresh address takes minutes once you decide to do it. The time constraint is not technically severe for individual holders today.

The timing problem is one of incentives and coordination, not one of technical difficulty. If every Bitcoin holder who needs to migrate their exposed addresses attempts to do so once a public quantum threat becomes acknowledged, the mempool congestion from millions of simultaneous migration transactions will be severe. Fee spikes during periods of high demand have historically reached hundreds of dollars per transaction. Migrating early means migrating at ordinary fees; migrating after a threat announcement means migrating in a fee market with extreme pressure.

What Moving Your BTC Actually Fixes

Moving your BTC from a quantum-exposed address to a fresh address that has never sent a transaction fixes the immediate public key exposure problem. If you send all funds from an old P2PKH address that previously had outgoing transactions to a fresh bech32 address that has never been used as an input, the new address hides your public key behind a hash, and a quantum attacker has no public key to target at the new address.

However, moving BTC does not fix several related problems that are worth understanding explicitly. First, moving BTC from an exposed address to a fresh one creates a new spending transaction from the exposed address. That transaction is valid and will be included in a block only if you send it before a quantum attacker does. If a quantum attacker with sufficient capability has derived your private key, a race condition exists between your legitimate migration transaction and the attacker's theft transaction. Speed matters: the attacker who sees your migration transaction in the mempool can attempt to front-run it.

Second, moving BTC from an old address to a fresh classical address does not make your coins quantum-resistant in the long term. The new address is safer only while unspent. The moment you spend from the new address, the public key is revealed, and the exposure cycle begins again. True long-term quantum safety for Bitcoin requires Bitcoin itself to adopt post-quantum signature algorithms at the protocol level, which is a far larger and more complex migration.

Third, if you use a hardware wallet, the seed phrase that derived your old exposed keys also derives your new keys. The seed phrase security does not change when you migrate addresses. Seed phrase theft, social engineering, and physical access attacks remain orthogonal to quantum risk.

Decision Matrix: What to Do Based on Your Situation

Your Situation Quantum Risk Level Recommended Action Urgency
BTC in P2PK output (address starting with 1 from pre-2012 era, never moved) Critical: public key fully exposed on-chain Move to fresh bech32 address immediately High
BTC in P2PKH address that has previously sent transactions High: public key visible in spending transaction history Move to fresh address; do not reuse the old address High
BTC in P2PKH address, never sent from it Moderate: protected by hash but loses protection on first spend Use a fresh address for each receive; never reuse after spending Medium
BTC in bech32 address (bc1q), never spent from it Low-moderate: similar to unspent P2PKH; hash provides protection until spend Monitor quantum computing developments; fresh address after each spend Low (watch and prepare)
BTC held on exchange (custodial) Depends on exchange security practices Ask exchange about quantum migration roadmap; consider self-custody Medium

For long-term holdings of significant value, the appropriate response is not only moving BTC today but engaging with Bitcoin network governance around post-quantum signature algorithm adoption, and evaluating whether a natively quantum-resistant network better serves long-term storage requirements than migration stopgaps.

Frequently Asked Questions