The security of exchanges has been declining year by year due to frequent fund transfers and complex wallet structures, leading to quantum security risks.

Written by: Rafael Schultze-Kraft

Translated by: Chopper, Foresight News

Recent industry research focuses on a new security risk associated with Bitcoin: which Bitcoins currently face quantum risks under the current holding conditions? The core criterion for judgment is whether the public key for the outgoing tokens has been publicly disclosed on-chain. According to statistics, there are currently 6.04 million Bitcoins at risk from quantum issues on the network, accounting for 30.2% of the total issuance; the remaining 13.99 million Bitcoins (69.8%) have not leaked their public keys during the holding phase and thus pose no related risks. These data are generally consistent with some recent research conclusions.

We categorize this risk into two types. The first type is structural risk: the script type itself discloses the output of the public key. The second type is operational risk: some cryptocurrencies may initially be protected, but due to reasons such as address reuse, partial spending, or custodial behavior, the public key has been leaked while the Bitcoins remain in that address.

Distribution map of Bitcoins at risk from quantum issues provided by Quantum Safety

There are 1.92 million Bitcoins classified as structural risk, accounting for 9.6% of total issuance; there are 4.12 million Bitcoins facing operational risk, accounting for 20.6%. Of these, 1.63 million Bitcoins are held by exchanges, illustrating that the proper use of wallets and asset custodial methods is crucial in reducing the risk of public key leaks.

This article does not make judgments about positions—it neither predicts when practical quantum attacks will materialize nor assesses the security and solvency of any custodial institution. It only quantifies the state of public key leaks on-chain from a data perspective, distinguishing permanently high-risk assets from those that can reduce risks through optimized wallet management and custodial rules.

Understanding Public Key Leak Risks

Bitcoin assets are controlled by private keys, while public keys are used to verify the legitimacy of the private key signatures on the network. Under traditional cryptographic systems, it is not possible to reverse-engineer the private key from a public key, making the assets sufficiently secure.

The core threat posed by quantum computers lies in the ability of high-performance cryptographic quantum computers to use Shor's algorithm to reverse-engineer the corresponding private key from the known public key. This simplifies the related on-chain issues:

If the public key has been disclosed, then the cryptocurrency is exposed. An attacker does not need to wait for the owner to transfer the cryptocurrency because the public key is already available. If the public key is not visible on-chain, then according to this specific static storage model, the cryptocurrency is currently not exposed.

This article focuses on the asset risks during the holding state, which means the tokens are static but the associated public keys have been leaked. This differs from exposure during transactions, where the public key is only disclosed during broadcasting and confirming the transaction, belonging to the temporal risk at the transaction settlement layer; the former is a precisely quantifiable stock risk asset. The "secure assets" referred to in this article only represent those that have not leaked their public keys during the holding phase, and do not constitute absolute quantum-resistant assets adaptable to all future quantum attack scenarios.

Distribution map of quantum-safe Bitcoin supply provided by Quantum Safety

Structural Exposure: Innate Security Hazards

The risk of these assets is determined by the address script format and is independent of whether the user properly uses the wallet, destined to expose the public keys on-chain. This includes early P2PK addresses from the Satoshi Nakamoto era, traditional multi-signature P2MS addresses, and currently mainstream Taproot addresses. While the era of origin and usage scenarios of such addresses differ, they share a commonality: they default to publicizing the public key or equivalent public key information on-chain. As long as the tokens are not spent, they may become targets for attacks.

We currently classify 1.92 million Bitcoins (accounting for 9.6% of the total issued amount) under the structural risk category. These Bitcoins can be further divided into three different parts:

Distribution of structural risks for Bitcoins

Satoshi Nakamoto and early block tokens: They belong to permanently structural risk assets; if the assets are lost or the holder becomes inactive, they can hardly be migrated to a secure address without consensus across the network to initiate protocol-level rectification; otherwise, they will be permanently exposed to quantum risks.

Taproot addresses: This script itself has advantages of strong privacy, efficient transfers, and flexible smart contracts and is not a design flaw. However, from the perspective of public key leakage, Taproot addresses directly disclose keys, posing a risk during holding.

The industry-proposed BIP-360 protocol P2MR solution could retain Taproot functionality while eliminating high-risk key paths to mitigate such hazards; however, it cannot automatically migrate the existing Taproot assets and is not a complete ultimate quantum-resistant solution.

In summary, among the 1.92 million structural risk assets, one part is difficult to migrate, while another part can gradually optimize risk avoidance through new protocols and standards.

Operational Exposure: Usage Habits Cause Security Vulnerabilities

These addresses have privacy protection capabilities and do not initially leak public keys. However, due to improper user operations, the public key is exposed during the transfer process, and the remaining retained assets lose their protection.

This is the issue of address reuse. Output types such as 2PKH, P2SH, P2WPKH, and P2WSH can hide public keys through hash values while the tokens are in a static state. However, once the public key is leaked during consumption, any balance or future balances associated with that public key will lose this protection.

Operational exposure is the main source of current Bitcoin quantum risk, totaling 4.12 million, which is 2.1 times the scale of structural risk assets. This also confirms that the vast majority of Bitcoin quantum risks today are not legacies of early script designs but are instead due to improper user key management and address usage.

Among the operational risk assets, Bitcoin held by exchanges occupies a very high proportion, totaling 1.66 million, accounting for 40% of all operational risk Bitcoin balances. Data shows that there is a significant difference in asset risk among exchanges: approximately half of the Bitcoins held by marked exchanges belong to exposed Bitcoins, whereas the proportion of Bitcoins held by non-exchanges is less than 30%.

Distribution of operational risk Bitcoin supply

There are significant differences in asset exposure situations among major mainstream institutions. Some custodial institutions have relatively low risks, while others hold a larger proportion of balances in addresses where the public key is known.

• Low risk: Only 5% of custodial assets at Coinbase have public key leaks; the quantum risk exposure ratio of national sovereign treasuries (USA, UK, El Salvador) is 0%;
• Medium risk: Fidelity and CashApp at about 2%, Grayscale at about 50%;
• High risk: Binance at 85%, Bitfinex at 100%, Robinhood, and WisdomTree have all custodial assets exposed to public key risks.

Note: This data only reflects the on-chain asset custodial retention traces and does not constitute the basis for institutional risk rating or solvency assessment.

From a long-term trend perspective, national governments consistently maintain a safe holding ratio of over 99%; however, exchanges, due to frequent fund transfers and complex wallet structures, have seen the proportion of secure assets decline from 55% in 2018 to the current 45%. But this type of risk can be improved; just adhering to fundamental practices such as not reusing addresses and timely transferring change assets can quickly reduce the scale of exposure.

Distribution of operational security Bitcoin supply classified by entity type

Conclusion

Bitcoin's quantum risks can be categorized into different classes, each having varying impacts.

• Structural risks: The difficulty in migrating legacy tokens from early phases; new P2MR protocols can gradually optimize the risks of modern Taproot addresses;
• Operational risks: Larger in scale and more controllable, especially with exchanges having vast amounts of stock assets, which facilitates substantial risk migration.

It can be seen that the layout of Bitcoin's quantum security relies not only on upgrades to the underlying network protocols; a large number of existing risk assets in the market can effectively reduce risks solely through current operational adjustments. For exchanges and professional custodial institutions, standardizing address usage, optimizing reserve asset layouts, reducing key reuse, and formulating asset migration plans are not long-term wishes but practical measures that can be implemented immediately to effectively reduce quantum risks.