Is Bitcoin Quantum Safe?Read more
Jul 12, 2026

Is Bitcoin Quantum Safe?

Sadly, Bitcoin isn’t quantum safe. The reason comes down to a specific piece of math. ECDSA (and Schnorr, for Taproot) over the secp256k1 curve authorizes every Bitcoin transaction, and Shor's algorithm dismantles both on a sufficiently large quantum computer. That's the short answer. As for the longer, more complicated one, it touches upon which coins are exposed, how migration would work, where the timeline sits, and what holders can do before the protocol catches up.

What quantum computing does to Bitcoin

Bitcoin's security has two layers. The first is the signature layer, which proves you own the coins at each address. The second, mining and hashing layer, proves the block ordering and validates the chain. Quantum computing threatens the first layer directly and only marginally reaches the second layer.

Shor's algorithm, running on a large fault-tolerant quantum computer, reverses the one-way math that links a private key to its public key. That math (the elliptic-curve discrete logarithm problem) is what ECDSA and Schnorr rely on. Normally, you can't work backward from a public key to the private one. On a large quantum computer, you can, which lets an attacker sign any transaction and move coins that aren't theirs.

Shor's isn't the only quantum algorithm that touches Bitcoin. The second is Grover's algorithm, a quantum method that speeds up brute-force search. It targets the hashing side, the SHA-256 function behind mining and address generation. Its bite is far smaller than Shor's. Grover's halves SHA-256's security level, from 256 bits down to about 128, and 128-bit security stays far out of reach for any computer, quantum or classical. So Bitcoin mining and ledger integrity stay safe from quantum attack because the specific vulnerability is at the signature layer, where Shor's does the damage.

How exposed is Bitcoin today?

Bitcoin's exposure depends on which address types your coins sit in.

P2PK outputs, the original Bitcoin script type used heavily in 2009 and 2010, store the public key directly in the output. That includes many early mining rewards commonly attributed to Satoshi. Project Eleven’s Bitcoin Risq List puts about 7 million BTC in addresses with exposed public keys, up from the 4 million Deloitte estimated back in 2020.

P2PKH addresses (the "1..." legacy addresses) and P2WPKH addresses (the "bc1q..." SegWit addresses) hash the public key with HASH160. Coins sitting in unspent addresses of these types keep their public keys behind the hash, which offers meaningful protection. Once you spend from these addresses, the public key appears in the transaction data and joins the P2PK exposure category.

Taproot addresses (the "bc1p..." format, live since 2021) put the public key on-chain directly, with no hash layer to hide it. They’re exposed from the moment they receive funds, similar to P2PK.

So, there are two at-risk groups. The immediately-exposed group (P2PK plus Taproot) sits in the danger zone regardless of whether the coins have moved. The other, conditionally-exposed group (hashed address types like P2PKH and P2WPKH), is safe as long as the addresses stay unspent. The group becomes exposed once they spend.

Bitcoin scores 8.33 on our L1 Quantum Vulnerability Index (qLVI, April 2026), which makes it the riskiest chain in the top ten by market cap. The score reflects both the 17-year history of accumulated on-chain risk and the value at stake, about $1.51 trillion in Bitcoin's market capitalization as of April 2026.

01_qvli_ranking-2.png

Quantum Vulnerability Score by chain. Source: qLABS

The migration path

Bitcoin needs a post-quantum signature scheme to remain secure into the quantum era. The proposal furthest along is BIP-360, currently in draft. It’s co-authored by Bitcoin developer Hunter Beast, with cryptographer Ethan Heilman and technical communicator Isabel Foxen Duke. 

It introduces a Pay-to-Merkle-Root (P2MR) address type, a structural step that opens the door to post-quantum signatures and removes Taproot's exposed key-path spend. On its own, it doesn't make Bitcoin quantum safe. It lays the groundwork, and the full fix comes later.

The specific post-quantum signature scheme isn't settled. NIST finalized ML-DSA and SLH-DSA in August 2024, with FN-DSA (Falcon) expected as FIPS 206, still in development. Bitcoin discussions have considered these options, with the trade-offs between how small the signature is and how conservative its security is.

ML-DSA offers reasonable signatures at around 3.3 KB and has become the workhorse candidate. The alternatives include SLH-DSA (stronger assumption durability, 8-49 KB signatures) and FN-DSA (smaller signatures around 700 bytes, harder to implement).

The engineering challenge is massive. Bitcoin's consensus process moves slowly by design. A soft fork requires activation across the entire network, and previous soft forks (SegWit in 2017, Taproot in 2021) each took years from proposal to activation. Post-quantum migration is likely to move on a similar timeline, so Bitcoin's earliest realistic post-quantum deployment sits in the late 2020s at the aggressive end and the early 2030s at more relaxed estimates.

04_mu_preparedness_gap.png

Migration readiness by chain. Bitcoin meets 2 of 3 preparedness checks. Source: qLABS

Bitcoin's Q-Day timing

Q-Day is the day a powerful enough quantum computer can break ECDSA in practice. Estimates range from 2028 to a more mainstream 2029 - 2030, and the approximations keep sliding toward the present as hardware advances. 

In March 2026, Google Quantum AI published a resource estimate that cut the cost of breaking secp256k1 to fewer than 500,000 physical qubits under specific hardware assumptions, which represents a 20x drop from prior best figures.

06_crqc_timeline.png

Recent milestones lowering the engineering bar for a quantum attack on ECC. Source: qLABS

For Bitcoin specifically, the Q-Day question splits into two clocks. The migration clock is the schedule on which Bitcoin adopts a post-quantum signature scheme and how quickly holders move funds into quantum safe addresses. The threat clock covers when quantum hardware becomes capable of practical attacks.

If the migration clock ticks faster than the threat clock, Bitcoin migrates safely and the exposure window closes. In case the threat clock wins instead, coins in exposed addresses become vulnerable during the lag. The two clocks are running in parallel, and the distance between them determines how much value gets caught.

What holders can do

Holders don't have to wait for Bitcoin to migrate, since several actions can reduce your quantum risk now.

First of all, don't reuse addresses. Each time you receive funds, you should generate a new address. Modern wallets already do this by default. The habit of using one address for all incoming transactions was standard practice a decade ago and has been the wrong default for years, both for privacy and now for quantum risk reasons.

Secondly, move long-term holdings into fresh P2WPKH addresses that have never been spent from. This keeps the public key behind the HASH160 buffer, which forces any attacker to break the hash before running Shor on the underlying key. That hash is a second lock an attacker has to pick before Shor even comes into play.

Thirdly, make sure to avoid Taproot for cold storage. Taproot's design predates the current focus on quantum resistance, and its revealed output key means the address is exposed from creation. For long-term holdings, P2WPKH or P2PKH is the safer choice today.

If you are holding Bitcoin on Ethereum, check out a quantum-safe vault by qLABS, qVault.xyz, which is adding more and more assets on Ethereum, and offers a quantum-resistant security layer for crypto assets before the chain migration takes place.

The short version

Bitcoin isn’t quantum safe. Its ECDSA signature scheme falls to Shor's algorithm once a big enough quantum computer exists. About 7 million BTC sits in addresses with exposed public keys today, and the risk grows every time an address spends. Though migration is certainly possible, it’s a very slow process. BIP-360 is the leading draft, which does not ensure quantum protection in itself, and post-quantum activation on Bitcoin is a multi-year process at best.

Until the protocol catches up, holders can reduce their risk by not reusing addresses, keeping long-term funds in unspent hashed addresses, avoiding Taproot for cold storage, and considering a post-quantum vault.

FAQ

Is Bitcoin safe from quantum computers today?

Today yes, as currently there’s no large fault-tolerant quantum computer in existence that could break ECDSA. However, this won’t hold forever. The window opens later this decade, based on quantum hardware that credible forecasts place between 2028 and 2035.

How does quantum computing affect Bitcoin?

Quantum computing breaks the ECDSA signature scheme that authorizes every Bitcoin transaction. Once the hardware exists, any Bitcoin address that has revealed its public key on-chain will be vulnerable to key recovery and unauthorized spending. That said, the mining and hashing side is untouched.

Which Bitcoin addresses are most at risk?

P2PK addresses (from 2009-2010) and Taproot addresses (from 2021 onward) expose their public keys on-chain regardless of whether the coins have moved. P2PKH and P2WPKH addresses stay protected as long as they've never been spent from.

How much Bitcoin is exposed to quantum attacks?

About 7 million BTC sits in addresses with exposed public keys, per Project Eleven's 2026 Bitcoin Risq List, up from Deloitte's 4 million estimate in 2020. The count climbs every time coins move, because spending an address reveals its public key. The number climbs every time coins move, because spending an address reveals its public key.

Can Bitcoin be upgraded to be quantum safe?

Yes, but very slowly. Right now, there’s a draft proposal called BIP-360 (Pay-to-Merkle-Root) for a quantum-resistant address type. Consensus changes on Bitcoin take years, and the specific post-quantum signature scheme has yet to be settled.

What should I do with my Bitcoin?

Move long-term holdings into fresh P2WPKH addresses that have never been spent from. Don't reuse addresses. Avoid Taproot for cold storage. For Bitcoin on Ethereum, consider qvault.xyz, a quantum-safe vault ensuring quantum-resistance for crypto assets before the chains migrate.

qLABS Editorial. Sources are linked inline. See the L1 Quantum Vulnerability Index for our full methodology and conflict-of-interest disclosure.