The Foundation: secp256k1 and Why It Works Classically
Bitcoin's security rests on the elliptic curve discrete logarithm problem (ECDLP). Every Bitcoin wallet is a key pair generated on the secp256k1 curve, a Koblitz curve defined over a 256-bit prime field with the equation y² = x³ + 7. The curve was chosen for its computational efficiency and the absence of a known special-case structure that would weaken classical attacks.
The relationship between a private key and a public key is a one-way function: given a private key k, computing the corresponding public key Q = k·G (where G is the generator point) takes microseconds. Reversing the process classically, finding k given Q and G, requires solving the ECDLP. For a 256-bit curve, the best classical algorithm, Pollard's rho, runs in O(2¹²⁸) operations. At current computing speeds, that is computationally infeasible for any adversary on Earth.
Quantum computers change the cost function entirely.
Shor's Algorithm: The Exact Attack Pathway
Shor's algorithm solves the discrete logarithm problem in polynomial time on a quantum computer. For secp256k1 specifically, the attack requires approximately 2,330 logical qubits per the most conservative estimates, though more recent optimisations by researchers at institutions including the University of Waterloo and PsiQuantum have proposed implementations requiring as few as 317 logical qubits with significant parallelism. The exact qubit count needed to break Bitcoin remains an active research question, but the direction of the curve is unmistakable: requirements are falling as quantum error correction improves.
The attack proceeds in four stages. First, the adversary encodes the public key Q and generator G into quantum registers. Second, a quantum Fourier transform extracts the period of the group operation. Third, continued fraction expansion converts that period into a candidate for the discrete logarithm. Fourth, classical post-processing verifies and refines the candidate. The result is the private key k, from which the adversary can produce valid ECDSA signatures for any transaction spending from the compromised address.
This is not a theoretical curiosity. It is a deterministic algorithm that will work on any elliptic curve regardless of curve parameters, once the hardware threshold is crossed. Post-quantum cryptography exists precisely because this outcome was anticipated decades before the hardware to execute it existed.
Two Distinct Attack Windows
Bitcoin's quantum exposure is not uniform. It divides into two structurally different attack scenarios with different timelines, different technical requirements, and different consequences.
Window One: The Long-Term Key Derivation Attack
This is the most widely discussed vector. Once Bitcoin's public key is visible on-chain, which happens the moment funds are moved from an address, an adversary with a sufficiently powerful quantum computer can run Shor's algorithm against that public key at any time in the future. The public key is permanent. The blockchain is immutable. The data needed to reconstruct the private key sits in the blockchain forever, at block height, in every full node on Earth.
This is the mechanism behind the harvest now, decrypt later strategy. Adversaries, including state-level actors, do not need quantum hardware today. They need only to record the public keys exposed on-chain today and process them when hardware matures. Bitcoin's public ledger makes this trivially easy: every public key ever used on the network is preserved in perpetuity.
The scope of exposure here is enormous. Researchers estimate that between three and four million Bitcoin, roughly 15 to 20 percent of the total supply, sit in addresses whose public keys have already been exposed through prior spending activity. Those coins are, in principle, fully recoverable by a quantum adversary with sufficient hardware.
Window Two: The Pre-Confirmation Mempool Attack
This attack window is less discussed but potentially more dangerous in practice. When a Bitcoin transaction is broadcast to the network, it sits in the public mempool for anywhere from seconds to hours before miners include it in a block. During that window, the raw transaction, including the ECDSA signature and the derived public key, is visible to anyone monitoring the network.
A quantum adversary with fast enough hardware could, in theory, extract the public key from an unconfirmed transaction, run Shor's algorithm, derive the private key, construct a replacement transaction spending the same UTXO to an address they control, and broadcast it with a higher fee to displace the original. If the attack completes before the original transaction is mined, the adversary steals the funds without the victim ever realising what happened.
This attack requires quantum computation in minutes to hours, a threshold that is substantially harder to reach than the years-long computation window of the key derivation attack. But it also means that even if Bitcoin successfully migrated all funds to quantum-resistant addresses, the mempool attack surface would persist for every transaction until the signature scheme itself is replaced.
Address Types: Not All Exposure Is Equal
Bitcoin's address ecosystem has evolved over the network's history, and different address formats carry different levels of quantum exposure.
P2PK (Pay-to-Public-Key)
The oldest address type, used heavily by Satoshi and early miners, embeds the full uncompressed public key directly in the output script. There is no hashing step. Any coins locked in P2PK outputs are immediately readable by a quantum adversary with no additional work required to recover the public key. Estimates suggest approximately one million Bitcoin, including a significant portion of the coins mined in Bitcoin's first year, are locked in P2PK outputs. This includes coins widely attributed to Satoshi Nakamoto's early mining rewards.
P2PKH (Pay-to-Public-Key-Hash)
The most common legacy format. The public key is hashed (SHA-256 followed by RIPEMD-160) before being embedded in the address. This provides one important quantum protection property: as long as an address has never been used to send funds, the public key has never been revealed, and Shor's algorithm cannot be applied because there is no public key to attack. The address itself is only a hash of the public key.
However, the moment a P2PKH address is used to spend, the full public key is revealed in the transaction's input script, permanently exposing it to the key derivation attack described above. Reusing P2PKH addresses, a common practice in Bitcoin's early years, means those public keys are already on-chain. Single-use P2PKH addresses with funds that have never been moved are currently safe from quantum attack, though this protection dissolves the instant those funds are spent.
Bech32 and Native SegWit (P2WPKH, P2TR)
Native SegWit addresses (bech32) and Taproot addresses (bech32m) share the same structural quantum exposure as P2PKH. The public key is hashed into the address, providing pre-spend protection, but the public key is revealed on spend. Taproot (P2TR) actually uses a slightly different construction: it exposes a 32-byte x-only public key directly in the output script, meaning Taproot outputs have their public key on-chain immediately upon receipt, before any spending occurs. This is a marginal increase in quantum exposure relative to P2WPKH for outputs that have not yet been spent.
The bottom line is that no current Bitcoin address format provides meaningful protection against a post-threshold quantum adversary for coins that have ever been moved.
The Flag Day Dilemma
Recognising the threat is straightforward. Fixing it is not. Bitcoin's governance model, which relies on rough consensus among developers, miners, node operators, and users without any central authority, makes coordinated cryptographic migration extraordinarily difficult. The challenge is known informally as the flag day dilemma.
A quantum-resistant migration would require Bitcoin to adopt a post-quantum signature scheme, likely one of the NIST-standardised algorithms: ML-DSA (formerly CRYSTALS-Dilithium), SLH-DSA (formerly SPHINCS+), or FN-DSA (formerly FALCON). Each of these produces signatures that are substantially larger than ECDSA: ML-DSA signatures are approximately 2,420 bytes, compared to 72 bytes for a typical ECDSA signature. This is not a rounding error. It represents a 33-fold increase in signature size that would significantly increase block space consumption, reduce effective throughput, and increase validation costs across the entire network.
Beyond the technical challenges, any migration requires a coordinated soft or hard fork. Bitcoin's history of contentious upgrades, including the block size wars of 2015 to 2017, demonstrates how difficult protocol changes are even when the technical path is clear and the urgency is high. A quantum migration would involve forcing users to move funds from legacy addresses to new quantum-resistant addresses before a deadline, freezing any coins that fail to migrate, and simultaneously rolling out new address formats, script types, and fee structures. The social coordination problem may be harder than the cryptographic one.
There is also the deeper problem of the Satoshi coins. Somewhere between 750,000 and 1.1 million Bitcoin mined in the network's first year have never moved, largely sitting in P2PK outputs with exposed public keys. No migration mechanism can compel movement of those coins. Any flag day that freezes unmigrated quantum-vulnerable funds would effectively destroy them, a political and economic decision that Bitcoin's community has never come close to agreeing on.
The blockchain quantum migration problem is arguably worse for Bitcoin than for any other network, precisely because of its age, its governance structure, and the irreversibility of its historical record.
Why Bitcoin Is Harder to Fix Than It Sounds
Three structural properties make Bitcoin uniquely difficult to quantum-harden compared to newer blockchains.
First, immutability is the feature, not a bug. The same property that makes Bitcoin's transaction history trustworthy, its inability to be altered, means every public key ever exposed on the network is permanently accessible. A quantum adversary needs no special access to historical data. It is all public.
Second, Bitcoin has no native upgrade mechanism for key material. Unlike a certificate authority that can revoke and reissue certificates, Bitcoin has no on-chain mechanism to invalidate a compromised private key. Once a quantum adversary derives a private key from a public key, they can spend the associated funds at any time. The only defence is to move the funds first.
Third, the network's conservative upgrade culture, designed to protect against capture and manipulation, creates meaningful friction for the kind of large-scale coordinated change that a quantum migration requires. This is not a criticism. It is a design trade-off that has served Bitcoin's security and censorship resistance well. But it makes Bitcoin significantly less agile than purpose-built quantum-resistant networks when the threat level changes.
Newer blockchains, including those designed explicitly for the post-quantum era, can implement quantum-resistant signatures from genesis, avoid ever exposing public keys on-chain, and build dynamic upgrade mechanisms that respond to the evolving quantum threat landscape without requiring hard forks or social consensus battles. The structural differences between quantum-resistant blockchains and traditional ones are not cosmetic. They reflect fundamentally different assumptions about the adversary.
Assessing Your Exposure
For individuals and institutions holding Bitcoin, the practical question is straightforward: have the addresses holding your funds ever been used to send? If yes, the public key is already on-chain and you carry long-term quantum exposure. If no, you carry no current exposure but will reveal your public key the moment you spend, at which point the clock starts.
The Quantum Threat Calculator can help quantify this exposure relative to the current hardware trajectory. Bitcoin is not uniquely exposed among cryptocurrencies, but its combination of scale, value concentration, and governance constraints makes it the most consequential single target in the quantum threat landscape.
The technical case for Bitcoin's quantum vulnerability is not contested in the research literature. What remains uncertain is the timeline, specifically how quickly logical qubit counts will scale, how quickly error correction overhead will fall, and whether Bitcoin's development community will achieve the consensus needed to act before the threat crosses from theoretical to operational. Those are not technical questions. They are questions about hardware trajectories and human coordination, and the answers are not fully within Bitcoin's control.
Bitcoin's cryptographic foundation was engineered for a world where the most powerful computers were classical. That world is ending. The question is not whether secp256k1 will eventually fall to a quantum adversary. The question is whether the funds locked behind it will have moved to safer ground before it does.
For a broader view of what happens to the wider ecosystem on the day a cryptographically relevant quantum computer arrives, see our analysis of Q-Day and what happens when quantum breaks Bitcoin. For those evaluating alternatives, the properties of a quantum-resistant blockchain and a comparison of the top quantum-resistant crypto projects in 2026 provide a starting point for understanding what a post-quantum alternative actually looks like in practice. QuanChain's approach, including the TADEQS key architecture that eliminates public key exposure entirely, was designed specifically to address the structural weaknesses this analysis describes.
