Aksel CichockiQuantum Security Lab
QSL
Digital Assets

Bitcoin and Digital Assets in a Post-Quantum World

Bitcoin's security relies on elliptic curve cryptography. When sufficiently powerful quantum computers arrive, any wallet with an exposed public key becomes vulnerable. This research examines the specific risks and practical defenses available today.

Why It Matters
Researchers estimate over 5 million BTC sit in addresses with exposed public keys (Aggarwal et al., 2017). A sufficiently powerful quantum computer running Shor's Algorithm could make these vulnerable to private key extraction.
Who Should Care
Anyone holding Bitcoin or digital assets, hardware wallet users, custodians, and institutional holders.
What To Do Now
Stop reusing addresses, sweep exposed UTXOs to fresh SegWit addresses, evaluate multisig. See the Defense Checklist.
Start with the practical tools:
Test an Address Run the Checklist Download Brief
Individual Holders
Check your addresses, review wallet hygiene, sweep exposed UTXOs
Hardware Wallet Users
Verify address formats, enable auto change addresses, evaluate multisig
Custodians & Institutions
Read the brief, run the checklist, assess key governance posture
Why This Matters

Exposed Public Keys Are the Core Risk

How Bitcoin Cryptography Works

Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) with the secp256k1 curve. A private key generates a public key, which generates a wallet address. The critical security assumption is that deriving a private key from a public key is computationally infeasible.

  • Shor's Algorithm — breaks this assumption. A cryptographically relevant quantum computer (CRQC) running Shor's Algorithm can derive private keys from public keys in polynomial time.
  • Address hashing protects unused keys — Bitcoin addresses are hashed versions of public keys (using SHA-256 + RIPEMD-160). The actual public key is only revealed when you spend from an address.
  • Spent-from addresses are exposed — once a transaction is broadcast, the public key is permanently visible on-chain. Any UTXO associated with a revealed public key is vulnerable to a future quantum attack.
Scale of Exposure: Researchers estimate that over 5 million BTC (worth hundreds of billions of dollars) sit in addresses with exposed public keys — including Satoshi's original coins, early miner rewards, and reused addresses (Aggarwal et al., 2017).
Threat Scenarios

How Quantum Attacks on Bitcoin Could Unfold

🔒
Key Extraction
Derive private keys from on-chain public keys to steal funds
Transaction Race
Extract keys from pending transactions before confirmation
📈
Mining Advantage
Grover's Algorithm could provide marginal mining speedups
💰
Market Panic
Even a credible quantum threat demonstration could trigger instability

The Transaction Window Attack

When a Bitcoin transaction is broadcast, the sender's public key becomes visible in the mempool before the transaction is confirmed. A sufficiently fast quantum computer could theoretically:

  • Intercept the public key from the unconfirmed transaction
  • Derive the private key using Shor's Algorithm
  • Broadcast a competing transaction spending the same UTXOs to an attacker-controlled address

This attack requires a quantum computer fast enough to break ECDSA within the block confirmation window (~10 minutes). Current estimates suggest this is still years away, but the timeline is narrowing.

Hardware Security

Hardware Wallets and Quantum Readiness

Current Hardware Wallet Protections

Hardware wallets protect private keys by keeping them isolated in secure elements. While no consumer hardware wallet currently signs transactions with post-quantum algorithms, several manufacturers are building toward quantum readiness:

  • Firmware-upgradable architecture — modern hardware wallets can receive firmware updates that add new signing algorithms when blockchains adopt PQC support.
  • Bootloader integrity — some newer devices use post-quantum algorithms (ML-DSA, SLH-DSA) internally for firmware verification, even though on-chain transactions still use ECDSA.
  • Secure element isolation — the private key never leaves the secure element. This protects against remote extraction but does not protect against on-chain public key exposure.

The most important defense today is not the wallet hardware itself — it is how addresses are managed.

Practical Defense

What You Can Do Today

Check your own addresses: Use the Bitcoin Quantum Exposure Tester to check whether your addresses have public key exposure on-chain.

Immediate Steps to Reduce Quantum Exposure

These steps cost almost nothing and dramatically reduce your attack surface against future quantum threats:

  • Never reuse addresses — each time you spend from an address, the public key is revealed. Use a fresh receiving address for every transaction. Most modern wallets do this by default.
  • Sweep exposed UTXOs — if you have funds in addresses you have previously spent from, move them to a fresh address where the public key has never been revealed.
  • Use native SegWit (bc1q) addresses — these keep the public key hidden until you spend. Avoid legacy address formats where possible.
  • Consider multisig — 2-of-3 or 3-of-5 multisig setups mean an attacker would need to break multiple keys simultaneously, significantly raising the bar.
  • Keep seed phrases offline — metal backup plates, never digital. This protects against both classical and quantum-adjacent threats.

Address Exposure Self-Assessment

To evaluate your own quantum exposure, consider these questions:

  • Have you ever spent from an address and left remaining funds in it? Those funds have an exposed public key.
  • Are you using legacy (1...) or nested SegWit (3...) addresses? Native SegWit (bc1q...) is preferred.
  • Does your wallet automatically generate new change addresses? Verify this in your wallet settings.
  • Do you have funds in addresses created before 2017? Early Bitcoin addresses are more likely to have exposed keys.
BITCOIN QUANTUM EXPOSURE ASSESSMENT Your Bitcoin Address Have you spent from this address? No Key hidden Lower risk Yes Public key is exposed on-chain Are remaining funds in this address? No No action needed Address is empty Yes SWEEP TO FRESH SEGWIT ADDRESS Move funds to bc1q... address immediately
Bitcoin Address Quantum Exposure Decision Flow
Protocol Evolution

Bitcoin's Path to Post-Quantum Security

What the Bitcoin Community is Exploring

Bitcoin's decentralized governance means protocol upgrades move carefully. Several approaches to quantum resilience are under discussion:

  • Hybrid signature schemes — transactions could require both a classical ECDSA signature and a post-quantum signature, ensuring security under both threat models.
  • Commit-delay-reveal — a scheme where spending requires committing to a transaction hash, waiting a delay period, then revealing the actual transaction. This prevents transaction-window attacks even without PQC.
  • New PQC address types — soft-fork proposals could introduce address types that use ML-DSA or SLH-DSA signatures natively.
  • Emergency migration windows — if a credible quantum threat emerges, the network could implement a time-limited migration period where exposed funds must move to quantum-safe addresses.

These proposals are in early stages. The prudent approach is to minimize your own exposure now, independent of protocol-level changes.

Tools & Resources

Tools This Lab is Exploring

Tools marked with are live now.

01

Address Exposure Scanner ● Live

Check whether a Bitcoin address has public-key exposure on-chain. Use the tester →

02

Quantum Risk Score ○ Planned

A scoring model that estimates the quantum vulnerability of a wallet based on address types, exposure history, and fund distribution.

03

Migration Playbook ○ Planned

Step-by-step guidance for moving funds from exposed addresses to quantum-safer configurations, including multisig and SegWit strategies.

Latest SignalCrypto-Agility Matters More Than Algorithm Choice
Read →

Protect Your Digital Assets Now

The quantum threat to Bitcoin is not immediate, but the cost of preparation is near zero. Address hygiene and key management best practices protect you today and position you for the post-quantum future.

View Defense Checklist Contact
References & Further Reading
  • BIP 141 — Segregated Witness, witness structure for P2WPKH
  • BIP 341 — Taproot, P2TR output construction and spending rules
  • NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA) — finalized August 2024
  • Aggarwal et al. (2017) — Quantum Attacks on Bitcoin, and How to Protect Against Them
  • NSA CNSA 2.0 — migration guidance for national security systems (target dates, not commercial mandates)
Share This Research
Download Brief Contact Aksel