QRI Research Note

When Quantum Can Target Exposed Bitcoin Public Keys

Quantum Threat Level 90

The level where Bitcoin-specific risk becomes operational

Bitcoin risk is not just whether a quantum computer can solve an elliptic-curve key eventually. It is whether it can solve a secp256k1 public key fast enough to steal funds from public-key-exposed outputs or to race transactions before defenses are in place.

Index level90 / 100
Planning windowAfter modern ECC attacks become practical; exact date depends on runtime and Bitcoin migration
Bitcoin statusUnsafe for exposed or poorly managed public keys

This is the first scale milestone that directly references Bitcoin users, wallet behavior, and transaction exposure.

What this level means

A Bitcoin public key is usually hidden behind a hash until coins are spent, depending on address type and wallet behavior. Once a public key is exposed on-chain, a sufficiently capable quantum attacker could try to derive the private key and sign a competing transaction.

Risk depends on speed. A machine that can solve one public key in months is dangerous for already-exposed keys but less useful for racing new transactions. A machine that can solve keys in minutes or hours changes the threat model dramatically.

What technology needs to be developed to get here

This level requires not only a modern ECC-capable quantum computer, but an operational attack pipeline aimed at Bitcoin secp256k1 and the live network.

secp256k1-specific circuits

P-256 progress is not enough by itself. Attackers need efficient circuits for the exact curve Bitcoin uses, including field arithmetic over secp256k1 parameters.

Practical runtime

Bitcoin risk changes when solving a key is fast enough to exploit exposed public keys. Minutes, hours, days, and months imply very different attacker models.

Target selection

Attackers would scan the chain for reused addresses, old pay-to-public-key outputs, and high-value exposed keys. Software would prioritize targets by value and feasibility.

Transaction automation

A real attack requires generating signatures, constructing transactions, setting fees, and broadcasting at the right time. Quantum output must be integrated into classical Bitcoin tooling.

Defensive migration

Wallets, exchanges, custodians, and node software would need quantum-aware policies: avoid key reuse, move exposed funds, and support quantum-safe script paths if available.

Network response

The Bitcoin community would need governance, soft-fork or hard-fork discussions, exchange policies, and monitoring to distinguish panic from real exploitation.

Expected timeline and development path

This milestone follows modern ECC capability but depends strongly on runtime. A slow ECC break and a fast Bitcoin theft tool are not the same event.

Before Level 90

A modern ECC demonstration occurs, and secp256k1 resource estimates become credible enough for Bitcoin-specific risk scoring.

Transition period

High-value exposed keys become the first concern. Wallets and custodians should already have moved funds away from exposed public keys by this point.

Operational risk

If key recovery reaches hours or minutes, transaction racing and mempool exposure become realistic attack paths unless Bitcoin has migrated.

What this means in real life

For the average person, this level is easiest to understand through wallet habits and custody.

Reused addresses

People who reuse addresses expose public keys more often and create unnecessary risk.

Old wallets

Very old wallet formats and old pay-to-public-key outputs may require special attention.

Exchanges

Custodians would need to move funds, rotate infrastructure, and prove quantum-safe readiness.

Transaction timing

Users may hear warnings about confirmation windows, public-key exposure, and not leaving coins in vulnerable outputs.

Hardware wallets

Device vendors would need firmware and address-format migration support.

Public dashboards

Risk tools would track exposed public-key value and migration progress across the chain.

Bitcoin relevance

This is a direct Bitcoin milestone. It does not imply every Bitcoin is instantly stolen, but it means some coins may be materially vulnerable depending on address type, key exposure, and attacker speed.

The best defense is not panic. It is a planned migration to quantum-safe spending paths, careful wallet behavior, and broad ecosystem coordination well before the machine exists.

Signals QRI would look for

  • Credible secp256k1 discrete-log resource estimates
  • A modern ECC break with runtime short enough to extrapolate to Bitcoin risk
  • Rising value of exposed public-key outputs tracked by public dashboards
  • Wallet vendors shipping quantum-migration features
  • Bitcoin improvement proposals for quantum-safe signatures or migration paths

Sources and framing

QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.