In December 2024, ARK Invest published an analysis that sent shockwaves through the crypto ecosystem: approximately 34% of circulating Bitcoin could be exposed to quantum risk on Bitcoin wallets. Not in some distant, hypothetical future. Potentially within 10 to 15 years, according to the most conservative projections on quantum computing power evolution.
This estimate rests on a simple but consequential technical fact: millions of BTC are stored on addresses whose public key has been exposed on the blockchain. In theory, a sufficiently powerful quantum computer could derive the private key from this exposed public key. It's as if we'd left a digital fingerprint that no one could exploit until now, but would suddenly become readable with the right tools.
For long-term holders, this prospect raises an immediate strategic question: should you act now, or can you consider the risk to be theoretical and distant? The answer isn't binary, but it requires a precise understanding of the nature of the threat and available options.
How does quantum computing concretely threaten Bitcoin security?
Bitcoin relies on two cryptographic pillars: the SHA-256 hash function and the ECDSA (Elliptic Curve Digital Signature Algorithm) digital signature based on the secp256k1 curve. Quantum computing doesn't threaten these two mechanisms in the same way.
SHA-256, used for mining and proof of work, holds up relatively well against quantum attacks. Grover's algorithm, which would accelerate brute-force calculations, would only provide a quadratic advantage. Concretely, this means a quantum computer could mine roughly twice as fast as a classical miner of equivalent power. Disruptive for network balance, certainly. Catastrophic? Probably not.
The real problem lies with ECDSA. Shor's algorithm, discovered in 1994, theoretically allows breaking elliptic curve security in polynomial time. With a quantum computer equipped with several million stable logical qubits, it would become possible to derive a private key from a public key in hours, or even minutes.
Today, the most advanced quantum computers have only a few hundred physical qubits, with error rates still very high. IBM aims for 100,000 qubits by 2033. Google is making progress on error correction. Serious estimates place the emergence of a "cryptographically relevant" quantum computer between 2030 and 2040. But with this type of technology, predictions have regularly been outpaced by reality.
Why are 34% of Bitcoin particularly exposed?
The vulnerability doesn't affect all Bitcoin addresses uniformly. It specifically touches two categories of wallets.
First, P2PK (Pay-to-Public-Key) addresses, used in Bitcoin's early days between 2009 and 2012. These addresses store the public key directly on the blockchain without protecting it behind a hash. Satoshi Nakamoto himself mined approximately one million BTC on this type of address, which have never moved since. If these funds remain untouched, they become prime targets for a future quantum attack. No one knows whether Satoshi still possesses the corresponding private keys, or whether he would intervene to secure them.
Next, all addresses that have executed at least one outgoing transaction. When you spend BTC, the transaction necessarily reveals the public key associated with the address. Even if the remaining funds are later moved to a new address, the public key of the old address remains permanently exposed on the blockchain. This category represents the majority of the 34% identified by ARK Invest.
Conversely, modern addresses (P2PKH, P2WPKH, P2SH) that have never executed an outgoing transaction remain protected by a double layer of hashing. As long as the public key isn't revealed, even a quantum computer can do nothing. SHA-256 or RIPEMD-160 hashing acts as an effective temporary shield.
What cryptographic key migration strategies should be adopted now?
For affected holders, several approaches coexist, with varying levels of complexity and urgency.
The simplest strategy consists of migrating your funds to new addresses that have never been used to send a transaction. If you hold BTC on an address whose public key has already been exposed, you create a new address and transfer the entire balance. This new address, as long as it's not used to send payments, remains protected by hashing. It's an effective precautionary measure in the short to medium term, but it doesn't solve the fundamental problem: eventually you'll want to spend these BTC, and the public key will be exposed again.
Some wallets already adopt practices that naturally limit exposure. Electrum, for example, automatically generates new change addresses for each transaction. When you spend part of your funds, the remainder isn't returned to the original address, but to a new address whose public key remains hidden. This approach, consistent with privacy best practices, also provides some protection against the quantum threat.
The structural solution lies in adopting new post-quantum cryptographic standards resistant to quantum computing. The NIST (National Institute of Standards and Technology) finalized in 2024 the standardization of several post-quantum algorithms, notably CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures. Bitcoin will need to integrate these algorithms into its protocol, likely via a major update (soft fork or hard fork depending on the approach chosen).
This transition won't be straightforward. It will require broad community consensus, thorough testing, and a period of gradual migration. Post-quantum addresses will coexist with classical addresses for several years. Users will need to choose the right moment to migrate, balancing increased security against the transaction fees associated with larger signatures.
Should you really worry now, or can you wait?
The answer largely depends on the size of your position and your holding horizon.
For an institutional holder or investor with a significant position expected to be held over 10 to 20 years, inaction carries real risk. Even if the quantum threat remains uncertain in timing, the cost of preventive security (a few transaction fees) is negligible compared to the risk of total loss. Migrating to new addresses every 2-3 years, or each time an address is used to send a transaction, constitutes reasonable insurance.
For a casual user with a modest position, the calculation differs. Transaction fees can represent a non-trivial fraction of capital, especially during periods of network congestion. Waiting for the Bitcoin protocol to natively integrate post-quantum protections can be an acceptable strategy, provided you follow technological developments and remain ready to act if progress accelerates.
What's certain is that quantum risk is no longer a matter of science fiction. Research labs and major technology companies are investing billions in quantum computer development. Governments, aware of national security stakes, are funding massive research programs. Post-quantum cryptography is already a standardized reality; it just needs to be integrated into critical infrastructure.
Bitcoin, as a decentralized network conservative by nature, won't pivot overnight to new cryptographic standards. This transition will take time, require debate, and likely create tensions within the community. Savvy holders are already anticipating this shift and adjusting their security practices accordingly.
The quantum threat to Bitcoin isn't inevitable, but it demands heightened vigilance and gradual behavioral adaptation. In an ecosystem where security responsibility falls entirely on the end user, information and anticipation make the difference between a managed transition and irreversible loss. The time to act may not have come for everyone yet, but the time to inform yourself and prepare your strategy is already here.
