Is Bitcoin Ready for the Quantum Threat?

Roughly 6.9 million BTC sits in wallets with exposed public keys. That includes an estimated 1 million coins linked to Satoshi Nakamoto. If quantum computers mature fast enough to crack elliptic curve cryptography, those coins are up for grabs. The community now faces a choice that could define Bitcoin's next decade: protect those coins or let them go.

The debate took center stage at ETH Denver this week, where BIP 360 co-authors Hunter Beast and Isabel Foxen Duke laid out the stakes. According to their panel, the network's Taproot address format exposes a tweaked public key on-chain, and it is not the only vulnerable type.

What exactly is at risk?

Bitcoin's security relies on elliptic curve digital signature algorithms (ECDSA and Schnorr) to protect private keys. Classical computers would need billions of years to brute-force this encryption. Quantum computers running Shor's algorithm could potentially do it much faster.

The most vulnerable coins are those in legacy Pay-to-Public-Key (P2PK) addresses, where the public key sits permanently visible on the blockchain. CoinShares estimates about 1.6 million BTC, roughly 8% of total supply, sits in these older address types. But the exposure extends further. Taproot addresses also reveal a tweaked public key, reused addresses expose keys during earlier transactions, and altogether about 30% of all Bitcoin sits under exposed public keys.

Bitcoin analyst Willy Woo flagged something unusual late last year: Taproot usage dropped from 42% of transactions in 2024 to just 20%. He noted he had never seen a newer address format lose adoption before, adding that Taproot is quantum-vulnerable while older SegWit and Legacy formats are not.

How close is Q-Day?

This is where the real disagreement lives.

Capriole Fund founder Charles Edwards published a report on February 20 arguing that Bitcoin's fair value should already be discounted by 20% to reflect quantum risk. His model assigns a 20% probability that Q-Day (the moment quantum computers can crack Bitcoin's cryptography) arrives by 2028. If the network fails to upgrade, Edwards warns that discount jumps to nearly 40% by 2027 and 60% by 2028.

Edwards pointed to 2025 as evidence that the market is already pricing this in. Despite favorable post-halving conditions and rising global liquidity, Bitcoin posted its first negative post-halving year in history. He attributes the underperformance to what he calls the "Quantum Event Horizon," the point where the time needed to upgrade roughly matches the time left before Q-Day.

CoinShares fired back with a very different assessment. Their February report argues the threat is at least 10 to 20 years away, requiring quantum systems roughly 100,000 times more powerful than anything that exists today. They estimate only about 10,200 BTC could realistically be stolen and sold quickly enough to cause market disruption. The rest is scattered across more than 32,000 individual wallets averaging around 50 BTC each, making rapid exploitation impractical even under optimistic quantum assumptions.

What about AI? The nearer-term threat nobody talks about

While quantum computing grabs headlines, there is a more immediate vulnerability hiding in plain sight: weak key generation from Bitcoin's early years.

Multiple incidents have shown that wallets created between 2011 and 2015 sometimes used flawed random number generators with predictable entropy. The Libbitcoin Explorer vulnerability, disclosed in late 2025, exposed over 120,000 Bitcoin private keys because the software seeded its randomness using only system time. The Mersenne Twister-32 algorithm used had a seed space limited to roughly 4.3 billion possible values, making brute-force reconstruction trivial for anyone who knew roughly when a wallet was created.

This is where AI enters the picture. Modern machine learning excels at pattern recognition. Neural networks can analyze weak pseudo-random number generators, detect biases in seed sequences, and predict outputs far more efficiently than traditional brute-force methods. Unlike quantum computing, this capability exists right now.

The 2020 theft of over 127,000 BTC from the Chinese mining pool LuBian, worth more than $8 billion at today's prices, may have stemmed from predictable private keys. The so-called "Blockchain Bandit" identified 732 weak Ethereum private keys and silently siphoned roughly 45,000 ETH over years. BitcoinJS, a widely used wallet generation tool, was found to produce keys with insufficient entropy, affecting millions of wallets created before March 2012.

AI does not need millions of qubits or error-corrected quantum states. It needs patterns, and old key generators are full of them.

What is BIP 360 and can it fix this?

BIP 360 was merged into the official Bitcoin Improvement Proposal repository on February 11, 2026. Co-authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, it introduces Pay-to-Merkle-Root (P2MR), a new output type designed to work like Taproot but without the quantum-vulnerable key-path spend.

In plain terms: current Taproot addresses expose a tweaked public key on-chain. P2MR removes that exposure entirely. Spends must go through a script path and Merkle proof instead. The trade-off is larger transaction sizes, but the quantum attack surface shrinks.

BIP 360 is not the complete fix. It is a foundation for future soft forks that would introduce actual post-quantum signature schemes like ML-DSA (Dilithium) or SLH-DSA (SPHINCS+). Nothing changes automatically. Users would need to voluntarily move their coins to the new address format over time.

The freeze-or-steal dilemma

The hardest question is what happens to coins that never move.

Some proposals suggest freezing all P2PK addresses and Satoshi's coins after a set deadline. Others argue that freezing coins violates Bitcoin's core property rights and immutability promises. Foxen Duke said at ETH Denver that getting consensus around freezing proposals would be "an incredibly difficult and politically challenging problem to solve." She warned that if quantum capability arrives before consensus on migration, the consequences for the network would be severe.

Edwards takes a harder line, arguing all coins should migrate to quantum-resistant addresses by 2028, with unmigrated coins burned. Strategy chairman Michael Saylor dismissed the urgency entirely, stating the quantum threat is still 10 to 20 years from maturity and that Bitcoin will simply upgrade when the time comes. That puts him closer to CoinShares and Adam Back, who called the threat "decades away," than to Edwards, who sees the clock already ticking. No camp has built majority support, and Bitcoin's conservative governance makes rapid protocol changes extremely difficult to push through.

Where does this leave Bitcoin holders?

The practical takeaway is straightforward.

• If your coins are in modern P2PKH or P2WPKH (SegWit) addresses and you have not reused addresses, your public key is not visible until you spend. You are in the safer category for now.
• If you hold coins in P2PK or Taproot addresses, or if you generated your wallet using old software from 2011 to 2015, your exposure is higher.
• Moving funds to newer address types costs a transaction fee but removes the long-exposure risk.

The U.S. National Security Agency's CNSA 2.0 framework already calls for quantum-safe systems by 2030. NIST plans to phase out elliptic curve cryptography in federal systems by the mid-2030s. Bitcoin does not operate in a vacuum.

Whether Q-Day is 3 years away or 20, the preparation window is now. And while everyone watches for quantum breakthroughs, AI-powered pattern recognition is already picking apart Bitcoin's oldest and weakest wallets.

Sources:

• Decrypt Coverage of BIP 360 co-authors' ETH Denver panel on quantum risks and exposed public keys
• Capriole Investments Charles Edwards' research report on Bitcoin's Quantum Discount Factor and Q-Day probability model
• CoinShares Full research report arguing the quantum threat is 10-20 years away with limited market impact
• Bitcoin Magazine Reporting on BIP 360's merger into the official BIP repository on February 11, 2026
• CoinDesk Analysis of developer positions and BIP 360's role in quantum preparedness
• Cointelegraph Coverage of Willy Woo's Taproot usage decline data and Charles Edwards' migration deadline proposal
• DL News Reporting on Saylor's position that quantum computing is 10-20 years from threatening Bitcoin
• Tangem Blog In-depth analysis of weak random number generator vulnerabilities in early Bitcoin wallets
• Bitcoin Ethereum News Reporting on the Libbitcoin Explorer PRNG vulnerability disclosure
• BIP360.org Official BIP 360 specification and technical documentation from the proposal's co-authors