Is Bitcoin Quantum Safe? 6.9 Million BTC Already Exposed

A Deloitte Netherlands study found that 6.9 million BTC — worth hundreds of billions of dollars at current prices — sit in addresses where the public key is already visible on the blockchain. The figure, based on data collected through March 1, 2026, represents 34% of all bitcoin in circulation. Quantum computers capable of exploiting that exposure do not exist today, according to Ark Invest research published in March 2026, but a growing list of Bitcoin developers have started preparing for the day they do.

The question of whether bitcoin is quantum safe has shifted from academic curiosity to active protocol development. Two new Bitcoin Improvement Proposals — BIP-360 and BIP-361 — landed in the Bitcoin repository between February and April 2026. A prototype rescue tool followed weeks later. The timeline remains debatable, yet the technical groundwork is now public.

Deloitte counted 6.9 million BTC with exposed keys

Bitcoin addresses fall into several generations, each with a different relationship to quantum risk. The oldest format — Pay-to-Public-Key, or P2PK — stores the full public key directly on-chain. Deloitte flagged 1.7 million BTC locked in P2PK outputs. Some of those coins are widely believed to belong to Satoshi Nakamoto, and at current prices the P2PK pool alone carries a value near $74 billion.

Later address types added a hashing layer. P2PKH addresses, which begin with “1,” hide the public key behind a SHA-256 and RIPEMD-160 hash — but only until the owner sends a transaction. Once spent, the key appears in the signed transaction data on-chain and stays there permanently.

SegWit addresses starting with “bc1q” (P2WPKH) follow the same pattern: protected while dormant, exposed after spending. Taproot addresses starting with “bc1p” (P2TR) use Schnorr signatures, which offer efficiency gains but share the same elliptic curve assumptions as ECDSA. Deloitte's 6.9 million BTC total includes all addresses — across every format — where the public key has become visible through spending or through the address type itself.

Google whitepaper lowered the qubit estimate

A Google research team published a whitepaper in early 2026 arguing that breaking Bitcoin's elliptic curve cryptography may require fewer than 500,000 physical qubits. Previous estimates from academic groups had placed the threshold at several million. The revised figure brought the discussion closer to hardware roadmaps that companies like IBM, Google, and several startups have published for the late 2020s and early 2030s.

Ark Invest took a different view. In a March 2026 research note, the firm said that “today's quantum systems lack the capabilities required to compromise Bitcoin.” The gap between current hardware and the threshold Google described remains large. Existing quantum processors operate with thousands of qubits, not hundreds of thousands, and error correction — the ability to run stable, long computations — is still an unsolved engineering challenge at scale.

Bernstein, the asset management and research firm, offered a middle ground in April 2026, estimating that the broader crypto industry would need 3 to 5 years to complete a transition to post-quantum cryptography. The timeline assumed that standards bodies, wallet providers, exchanges, and protocol developers would all move in parallel — a coordination challenge that Bitcoin's decentralized governance makes harder than in corporate software.

BIP-360 introduced a quantum-resistant output type

Hunter Beast, Ethan Heilman, and Isabel Foxen Duke proposed BIP-360 in February 2026. The proposal defines a new output type called Pay-to-Merkle-Root, or P2MR, which strips out the keypath spend path present in Taproot (P2TR) outputs. Keypath spending requires revealing a public key on-chain. P2MR eliminates that requirement entirely, relying instead on Merkle tree verification paths that can be built from post-quantum signature schemes.

The design preserves the script flexibility of Taproot while removing the single element — the exposed public key — that quantum computers could eventually target. BIP-360 does not mandate a specific post-quantum algorithm. The authors left that choice open so that the protocol can adopt whichever signature scheme the cryptographic community settles on, whether SPHINCS+, CRYSTALS-Dilithium, or a future candidate.

BIP-361 proposed a phased sunset for legacy signatures

Jameson Lopp and five co-authors published BIP-361 in the Bitcoin repository on April 14, 2026. Editor murchandamus pinned the proposal, signaling its importance to the ongoing discussion. BIP-361 lays out a three-phase plan to retire ECDSA and Schnorr signatures from Bitcoin.

Phase A spans three years. During that window, new deposits to legacy address types — P2PK, P2PKH, P2SH, P2WPKH, and P2TR — would be blocked. Holders would still be able to spend from those addresses, giving them time to move funds into quantum-resistant outputs like the P2MR type defined in BIP-360.

Phase B follows with a five-year countdown. At its end, ECDSA and Schnorr signatures on legacy outputs would stop being valid. Coins that remain in old addresses past that deadline would be frozen — unspendable through the legacy signature path. The proposal acknowledges that some holders may lose access to wallets, forget passphrases, or simply not follow protocol changes. Phase C introduces a rescue mechanism: a zero-knowledge proof system tied to BIP-39 seed phrases. Holders who can prove ownership of a seed without revealing the private key itself would be able to reclaim frozen coins.

“Lopp's proposal treats this as a social problem as much as a technical one,” said one Bitcoin Core contributor who reviewed BIP-361 and asked not to be named. Convincing millions of wallet holders to migrate on a deadline will be the hardest part, that person said, not the cryptography itself.

Lightning Labs CTO built a rescue tool prototype

Olaoluwa “Roasbeef” Osuntokun, chief technology officer at Lightning Labs, built a prototype wallet rescue tool in April 2026. The tool targets a specific scenario: a holder with exposed keys who needs to move coins before a quantum adversary can derive the private key. Osuntokun demonstrated the concept as a proof that migration tooling can be built quickly once standards are in place.

Lightning Labs operates the most widely used implementation of the Lightning Network, Bitcoin's layer-2 payment channel system. Osuntokun's involvement signals that the quantum discussion has reached beyond academic researchers and into the teams building production Bitcoin software. A working rescue tool — even at the prototype stage — gives wallet developers a reference point for integrating migration flows into consumer applications.

Address types carry different levels of quantum risk

Not all bitcoin faces the same exposure. P2PK addresses are the most vulnerable because the public key sits on-chain from the moment of creation. A sufficiently powerful quantum computer could derive the private key at any time, with no spending transaction needed to reveal the key first.

P2PKH and P2WPKH addresses remain protected as long as the holder has never sent a transaction. The hashing layer — SHA-256 followed by RIPEMD-160 for P2PKH, or the witness program for P2WPKH — hides the public key. Once the holder spends, the key enters the blockchain permanently. P2SH addresses, beginning with “3,” wrap the redeem script in a hash, but the key becomes visible upon redemption.

Taproot (P2TR) addresses use Schnorr signatures, which rely on the same elliptic curve discrete logarithm problem as ECDSA. Schnorr brought batch verification and smaller multisig transactions to Bitcoin, but added no quantum resistance. Holders scanning wallets for quantum exposure should check whether any outgoing transaction has revealed the public key on-chain — a task that free tools, including QuantumShield's address scanner, can perform in seconds.

Migration timeline depends on governance and coordination

Bitcoin protocol changes require broad consensus among node operators, miners, wallet developers, and exchanges. BIP-360 and BIP-361 are proposals — neither has been activated nor scheduled for a soft fork. Past upgrades, including SegWit in 2017 and Taproot in 2021, took years from proposal to activation. A quantum migration would be far more disruptive, touching every address type and requiring wallet software updates across the entire ecosystem.

Bernstein's 3-to-5-year estimate for an industry-wide post-quantum transition assumes parallel movement across standards bodies, hardware manufacturers, and software teams. Bitcoin, with no central authority to mandate deadlines, faces a longer and less predictable path. If BIP-361's Phase A were to activate in 2027, the full sunset under Phase B would not arrive until 2035 at the earliest — a window that overlaps with several quantum hardware roadmaps.

“The risk is not that quantum computers break Bitcoin tomorrow,” Osuntokun said in an April 2026 discussion on social media. “The risk is that exposed keys are being catalogued now, and the window to move those coins gets shorter every year.”

If BIP-360 gains developer support while quantum hardware continues to scale toward the 500,000-qubit threshold Google described, early migration to P2MR-type outputs could protect holders well before any deadline arrives. Until a soft fork is scheduled, individual holders retain one immediate defense: moving coins to a fresh address that has never signed a transaction, keeping the public key hidden behind its hash.

Scan any Bitcoin, Ethereum, or Solana address for quantum exposure with the free QuantumShield scanner.

This article is for informational purposes only and does not constitute financial advice. Data as of May 1, 2026.