Bitcoin's supply at risk from quantum computing: 5,071,264 BTC (25.3%)

4 replies 201 views
RogueMinerFull Member
Posts: 58 · Reputation: 306
#1Jan 7, 2017, 06:01 AM
Here's the gist: We analyzed the entire Bitcoin blockchain from the genesis block up to block 952,694 using Bitcoin Core 28.0.0, and we sorted out every UTXO based on whether its public key is already visible on the blockchain. Currently, there are 5,071,264 BTC, which is about 25.3% of the total circulating supply, that are exposed to quantum threats, spread across 12,749,047 addresses. And yeah, anyone who was mining or making transactions between 2009 and 2013 might have some of this at risk. Now, let’s break it down (as of 2026-06-07, block 952,694): For the veterans out there: 1,822,794 BTC in the exposed pool has had its public key visible for more than 5 years. Almost all of the 853,247 BTC from P2PK comes from coinbase outputs from 2009-2010, aligning with the Patoshi pattern that Sergio Lerner has talked about for years. But honestly, the really big deal is in the modern P2WPKH (bc1q) addresses that have been reused after transactions. That’s the current users, not just some old coins sitting around. Regarding how we figured this out: the numbers really hinge on the methodology. Some draft proposals for post-quantum migration say "over 34%" is exposed. Wicked Smart Bitcoin's open-source dashboard shows 34.55% (from block 951,000) using a conservative approach where every spent-from P2SH/P2WSH counts. We took a stricter route: P2SH/P2WSH only counts if the revealed script has a public key opcode in it (like pubkey push + CHECKSIG family, or CHECKMULTISIG). Scripts that only have timelocks or hash pre-images don't expose keys and are left out. So, the 25.3% we found is a strict lower limit, while 34.55% is a conservative upper limit, and the real exposure is likely somewhere in between. All three ways to measure this are public, and we’re not hiding the differences.
6 Reply Quote Share
Posts: 33 · Reputation: 177
#2Jan 7, 2017, 06:36 AM
Don't get me wrong,  but when the QC powerful enough gets into the mix of breaking all and every vulnerable crypto systems,  no matter whether you have your public keys exposed or not.  In another term,  the world of internet and then the actual world we're living in is screwed.  Distance from secp256k1 and SHA256  is less than 1 in terms of breakability,  not to mention RIPEMD160 which is for now our most immediate concern. Don't panic just yet,  there are solutions to prevent everything from going under the water.  It just requires less than 20k BTC  to fund the transition.
5 Reply Quote Share
chris.altHero Member
Posts: 458 · Reputation: 2287
#3Jan 8, 2017, 06:17 PM
I always thought Satoshi's P2PK funds alone were more than a million coins already? Or has he used P2PKH already (I'm referring to Patoshi of course)? These numbers are much better than I expected. The million coins in P2PK / P2TR plus a few ones in P2MS would not create more than a regular "dip" for the price if they're cracked, and it's very unlikely they'll be stolen in a single day or even a month (more likely in a year or so). It's really time to introduce more measures against re-using addresses. Still many wallets do not even warn you when you do that ... I don't agree. If you already have coins on a reused address, then one spend more does not alter the picture. I think the more people "migrate" their coins from reused addresses to a fresh address, the better. Of course nobody should migrate from a non-reused address without exposed public key, but ... where should they migrate to anyway?
1 Reply Quote Share
RogueMinerFull Member
Posts: 58 · Reputation: 306
#4Jan 8, 2017, 06:25 PM
Worth distinguishing the two quantum attacks: Shor's algorithm gives exponential speedup against ECDSA on secp256k1; that's the existential threat to exposed pubkeys. Grover's algorithm gives square-root speedup against SHA256/RIPEMD160; that's a weakening (256-bit -> 128-bit effective security for SHA256, 160-bit -> 80-bit for RIPEMD160), not a break. The "distance is less than 1" framing conflates the two. Pubkey hashes (P2PKH/P2WPKH) are quantum-safe in practice until first spend, even with a CRQC. On the 20k BTC migration funding estimate, interesting, what's that based on?
2 Reply Quote Share
RogueMinerFull Member
Posts: 58 · Reputation: 306
#5Jan 8, 2017, 11:17 PM
Good point on already-exposed addresses; you're right that for reused addresses or P2PK/P2TR (pubkey already on-chain), one more spend doesn't change exposure. The "don't panic-migrate" framing was specifically about never-spent P2PKH/P2WPKH (pubkey still hidden behind hash). For those, panic-migrating during a quantum emergency means revealing the pubkey in the mempool window, exactly when the threat is acute. For already-exposed addresses: agreed, migrate now. Best current target is fresh never-reused P2PKH or P2WPKH. After a post quantum signature BIP activates, migrate to PQ address types. P2WPKH today is the cleanest path for funds that need to move pre-PQ; pubkey stays hidden under the hash until first spend.
4 Reply Quote Share

Related topics