Researchers at Chaincode Labs have published a detailed report on potential quantum-computing threats to Bitcoin. The 55-page document was prepared by Dr Anthony Milton and Clara Schickelmann in May 2025.
How many bitcoins are at risk
The authors estimate that 20% to 50% of all bitcoins in circulation (4–10m BTC) are potentially vulnerable to attacks using cryptographically relevant quantum computers (CRQCs).
The most precise estimate, from Project Eleven on 17 January 2025, points to 6,262,905 BTC. The funds break down as follows:
- Satoshi-era bitcoins — 600,000 to 1.1m BTC remain on P2PK addresses with fully exposed public keys;
- lost coins — 2m to 3m BTC belong to users who have lost access to private keys. Not all are quantum‑vulnerable, but a significant share is at risk;
- addresses with exposed keys — millions of bitcoins sit at addresses where public keys were revealed through reuse.
The researchers draw particular attention to the concentration of funds at exchange addresses. Some hold hundreds of thousands of bitcoins, making them priority targets for potential quantum attacks.
“As for assets with exposed public keys, many large holders, including exchanges and institutional custodians, have historically managed their cold storage by reusing addresses for operational simplicity. […]
As a result, an economically prioritized list of targets for quantum attacks emerges: breaking into such addresses could deliver the maximum return for the effort invested,” the report says.
When to expect “Q-Day”
In 2024 the Global Risk Institute ran a survey of 32 leading academics. Almost a third (10 of 32) reckon the probability of a CRQC within the next ten years is 50% or higher.
The authors point to government initiatives that underscore the seriousness of the threat:
- United States. President Joe Biden’s National Security Memorandum from May 2022 sets a goal to “mitigate potential quantum risks by 2035.” NIST has set 2030 as the deadline to retire RSA‑2048 and ECC‑256, with a full ban by 2035;
- United Kingdom. The National Cyber Security Centre has issued a three‑phase migration plan: identify vulnerable systems by 2028; priority upgrades from 2028 to 2031; full migration from 2031 to 2035;
- European Union. ETSI is coordinating an approach through its Quantum‑Safe Cryptography working group, though specific timelines are not yet set;
- China. Instead of adopting NIST standards, in February 2025 China launched its own “Next‑Generation Cryptographic Algorithms for Commercial Use” programme through the Institute of Commercial Cryptography Standards. No public implementation timeline has been announced.
The researchers also note accelerating progress in quantum computing. In December 2024 Google unveiled the Willow processor with 105 physical qubits, marking a key milestone in quantum error correction. Microsoft in February 2025 introduced Majorana 1 — the first quantum processor based on topological qubits.
Two types of quantum attack
Quantum computers threaten Bitcoin by breaking elliptic‑curve cryptography via Shor’s algorithm. This algorithm can derive a private key from a public key in hours or days rather than the quadrillions of years required by classical computers.
Long‑horizon attacks target three script types with known public keys:
- Pay to Public Key (P2PK) — the oldest type, used for early mining rewards. It accounts for 0.025% of UTXO but holds 8.68% of the bitcoin supply;
- Pay to MultiSig (P2MS) — “raw multisig,” introduced in 2011. It covers 1.037% of UTXOs with roughly 57 BTC;
- Pay to Taproot (P2TR) — introduced in 2021, it makes up 32.5% of UTXOs with 0.74% of supply (146,715 BTC).
Short‑term attacks affect all transactions, but only within a narrow time window when a user’s public key is exposed in the mempool prior to confirmation.
Burn or leave
The fate of quantum‑vulnerable funds has already split the community into two camps.
Advocates of “burning,” led by Jameson Lopp, argue that removing vulnerable coins would preserve Bitcoin’s integrity. In their view, allowing quantum computers to seize funds is akin to redistributing wealth from those who lost access to their bitcoins to those who win the technological race for quantum computers.
Lopp likens the quantum vulnerability to a protocol‑level bug that should be fixed. Burning, he says, would provide certainty and limit market volatility.
Opponents see burning as confiscation and a violation of coin‑holders’ property rights. Bitcoin, they argue, was designed so users retain full sovereignty over their funds, with the ability to access them at any time.
A change that renders certain UTXOs permanently unspendable would amount to third‑party interference — precisely what Bitcoin was created to resist. It would be de facto confiscation for owners who, for whatever reason, are unaware of the quantum threat or cannot move coins to quantum‑resistant addresses in time.
Either path would affect the overall bitcoin supply (if coins are burned) or lead to a large redistribution of wealth (if “quantum theft” occurs). Legal questions also arise over developers’ potential liability for any decision.
Proposed solutions
Developers are weighing several approaches to quantum safety, each with its own advantages and trade‑offs.
OP_CAT in Tapscript (BIP‑347). Ethan Heilman and Armin Sabouri propose restoring the OP_CAT opcode, disabled by Satoshi in 2010. It would enable Lamport signatures that are resistant to quantum attacks.
QuBit (BIP‑360). A developer using the pseudonym Hunter Beast has presented the most worked‑through proposal after months of discussion. P2QRH introduces a new output type using the NIST‑approved FALCON algorithm, as well as CRYSTALS‑Dilithium and SPHINCS+.
Quantum‑safe Taproot scripts. Matt Corallo has proposed adding an OP_SPHINCS opcode to verify post‑quantum signatures. This would let wallets create Taproot outputs with a quantum‑safe spend path. Luke Dashjr noted that wallets could begin implementation as soon as the specification is finalised, without waiting for a soft‑fork activation.
Signature compression via STARKs. Ethan Heilman has proposed aggregating post‑quantum signatures into a single compact STARK proof. This could increase Bitcoin’s throughput while improving privacy.
Transition strategy
The authors suggest a two‑track approach, acknowledging uncertainty about the quantum timeline.
- short‑term measures (two years) — build a minimally viable solution for emergency deployment;
- long‑term plan (seven years) — design an optimal quantum‑resistant protocol. The timeline references the precedents of SegWit (8.5 years from concept to adoption) and Taproot (7.5 years).
They estimate that migrating all UTXOs to quantum‑resistant addresses would take 76 to 568 days, depending on available block space.
Mining appears safe
Quantum computers are unlikely to disrupt bitcoin mining in the foreseeable future owing to fundamental constraints.
“Unlike quantum attacks on digital signatures, quantum mining has to compete with classical mining. In the case of Bitcoin’s elliptic‑curve‑based signatures, once quantum computers reach sufficient maturity, a single machine (a CRQC) will be able to compromise funds by breaking the cryptography used. Quantum mining, by contrast, would require a large number of fast quantum machines to match the performance of modern ASICs. Unlike classical mining, quantum mining parallelises poorly, which makes it far harder to scale and much less efficient in practice,” the report says.
What holders should do
The researchers recommend:
- stop reusing addresses;
- move funds from vulnerable script types (P2PK, P2MS, P2TR) to more protected ones (P2PKH, P2SH, P2WPKH, P2WSH);
- exchanges should change their cold‑wallet management practices to minimise quantum risks.
The report stresses that, while the quantum threat is not immediate, the window for preparation will narrow as technology advances. Proactive steps today are necessary for Bitcoin’s long‑term survival.
Earlier, Project Eleven offered 1 BTC for a quantum break of Bitcoin’s cryptography.