Lost Bitcoin and Quantum Computers: What Really Happens to Dormant Coins?
The question of lost bitcoin and quantum computers occupies a peculiar corner of cryptography: it sits at the intersection of economic theory, network security, and a technological threshold that does not yet exist but is advancing faster than most Bitcoin holders realise. Estimates consistently place between 3 and 4 million BTC in wallets that have not moved in over a decade, many of which expose their public keys directly on-chain. This article explains the precise mechanics of the threat, the categories of coin most at risk, and the governance debates now emerging inside the Bitcoin developer community.
Why Quantum Computing and Bitcoin Are on a Collision Course
Bitcoin's security rests on two cryptographic primitives: the SHA-256 hash function and the Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve. A classical computer cannot reverse-engineer a private key from a public key within any practical timeframe. A sufficiently powerful quantum computer running Shor's algorithm could, in theory, do exactly that.
The critical word is "sufficiently." Breaking a 256-bit elliptic curve key with Shor's algorithm is estimated to require somewhere between 1,500 and 4,000 error-corrected logical qubits, depending on the implementation. Today's most advanced quantum processors operate with physical qubits still far from fault-tolerant operation at that scale. Most credible research timelines place cryptographically relevant quantum computers (CRQCs) between 10 and 20 years away, though some industry insiders suggest 2030s is plausible for nation-state actors with classified programmes.
The implication for Bitcoin is not theoretical. It is a scheduled, foreseeable risk with very specific on-chain targets.
Grover's Algorithm vs Shor's Algorithm: Two Separate Threats
It is worth separating the two quantum threats because they affect different parts of the system:
- Shor's algorithm attacks public-key cryptography. It could derive a private key from an exposed public key. This is the serious threat for ECDSA.
- Grover's algorithm attacks hash functions, halving their effective security from 256 bits to 128 bits. A 128-bit security level is still considered robust by most standards, so SHA-256 and Bitcoin's address hashing are not considered critically vulnerable in the near term.
The acute risk is Shor's, and its impact depends entirely on whether a given wallet's public key is visible on the blockchain.
---
The Exposed Public Key Problem: P2PK Coins
Not all Bitcoin addresses expose their public key equally. Understanding the address types is essential.
Pay-to-Public-Key (P2PK)
In Bitcoin's earliest days, Satoshi Nakamoto and early miners used Pay-to-Public-Key (P2PK) outputs. These scripts embed the full 65-byte uncompressed public key directly in the transaction output. No hashing step separates the public key from the blockchain record.
Every coin in a P2PK output is permanently quantum-vulnerable the moment a CRQC exists, regardless of whether it has ever been spent. The attacker needs only to read the blockchain, extract the public key, run Shor's algorithm, derive the private key, and broadcast a transaction.
Estimated P2PK exposure: Blockchain analysts estimate roughly 1 million BTC sit in P2PK outputs, a significant portion attributable to Satoshi-era mining rewards in the genesis block and the first few thousand blocks.
Pay-to-Public-Key-Hash (P2PKH) and the "Reuse" Problem
Standard P2PKH addresses (the familiar `1...` format) hash the public key using RIPEMD-160(SHA-256), so the public key is not directly visible — until the address is spent from. At the moment a holder signs a transaction, the public key is broadcast to the mempool and recorded on-chain.
This creates a narrower quantum attack window: a CRQC would need to derive the private key during the brief window between broadcast and block confirmation, currently around 10 minutes. That window attack is considered impractical for near-term quantum hardware. The deeper problem is address reuse. Any address that has received funds and then sent funds has its public key permanently on-chain. Reused addresses are fully exposed to a patient quantum attacker, not just one racing the mempool.
SegWit and Taproot
- P2WPKH (native SegWit) and P2SH-wrapped SegWit addresses also hash public keys, providing the same conditional protection as P2PKH — safe until spent.
- Taproot (P2TR) outputs expose a tweaked public key directly in the output, placing them structurally closer to P2PK in terms of long-term quantum exposure. This is an acknowledged trade-off in the Taproot design, considered acceptable given current quantum timelines.
---
Categories of Dormant Bitcoin at Risk
| Category | Estimated BTC | Public Key Exposed? | Quantum Risk Level |
|---|---|---|---|
| Satoshi-era P2PK (unspent) | ~1,000,000 | Yes, always | Critical |
| Reused P2PKH addresses | ~300,000–500,000 | Yes (spent from) | Critical |
| P2PKH never-spent (no reuse) | ~1,500,000+ | No | Low (until spent) |
| Native SegWit / P2WPKH | Variable | No (until spent) | Low |
| Taproot (P2TR) | Growing | Yes (tweaked pubkey) | Moderate–High |
| Exchange hot wallets (rotating) | Large, rotating | Varies | Managed |
The figures above draw on publicly available blockchain analysis and are approximations. The key insight is that the quantum threat is not uniform: it is concentrated in specific, identifiable UTXO sets.
---
What Would a Quantum Attacker Actually Do?
A rational actor with a CRQC would not need to guess or brute-force anything. The process would be deterministic:
- Scan the UTXO set for all P2PK outputs and all addresses whose public keys appear in spending transaction inputs.
- Prioritise by balance. The largest-balance exposed UTXOs are the most economically attractive targets. Satoshi's estimated 1.1 million BTC in early mining outputs are the obvious crown jewel.
- Run Shor's algorithm against the target public key. With a sufficiently powerful CRQC, this process could take minutes to hours per key.
- Construct and broadcast a valid signed transaction to a controlled address, likely through a privacy relay to obscure origin.
- Repeat methodically down the balance list before the network can respond.
The network itself would have no cryptographic way to distinguish the attacker's valid signature from a legitimate owner's signature. This is the core of the threat — the attack is invisible at the protocol level until it is too late for any specific coin.
---
The Governance Debate: Freeze, Burn, or Do Nothing?
The prospect of quantum-enabled theft of dormant coins has prompted serious debate among Bitcoin developers and researchers. Three broad positions have emerged.
Option 1: Do Nothing
Proponents argue that Bitcoin's core value proposition is immutability and predictability. Confiscating or freezing UTXOs — even provably lost ones — sets a precedent that fundamentally undermines the property rights model Bitcoin was built on. Who decides which coins are "lost enough" to seize? The governance process required to reach consensus on such a rule could be more destabilising than the quantum threat itself.
Option 2: A Quantum-Safety Migration Deadline (Sunset Clause)
Several researchers, including those affiliated with the Bitcoin Optech and academic cryptography groups, have proposed a structured migration window. The idea: announce well in advance that after a specific block height, any UTXO whose public key is exposed and has not migrated to a quantum-resistant address format will be considered unspendable or will be quarantined.
This is sometimes called a "sunset clause" for vulnerable UTXOs. Arguments in favour:
- It protects the network's economic integrity by preventing a quantum actor from suddenly flooding the market with stolen coins.
- It gives legitimate holders years to move funds.
- It incentivises adoption of post-quantum address standards.
Arguments against:
- Lost coins whose owners are genuinely unreachable (deceased, lost keys) cannot migrate — those coins would be effectively burned or forfeited to miners.
- Estimating a safe deadline is speculative; if quantum timelines accelerate, a 2035 deadline may already be too late.
- Any protocol change requires broad consensus across miners, node operators, and developers.
Option 3: Emergency Protocol Fork
A reactive approach: wait until a CRQC is demonstrably near-operational, then execute an emergency hard fork that either freezes vulnerable UTXOs or transitions the entire network to post-quantum signatures. Critics note that an emergency fork under adversarial time pressure is the worst possible environment for sound protocol design. Rushed changes introduce new bugs and attack surfaces.
Most serious Bitcoin researchers consider this option a fallback of last resort, not a plan.
---
The Post-Quantum Address Standard Question
The longer-term solution is replacing ECDSA with a quantum-resistant signature scheme. The US National Institute of Standards and Technology (NIST) finalised its first set of post-quantum cryptographic standards in 2024, including CRYSTALS-Dilithium (lattice-based signatures) and FALCON. These algorithms are designed to resist Shor's algorithm because they rely on mathematical problems — shortest vector problems on high-dimensional lattices — that quantum computers do not solve efficiently.
Integrating a new signature scheme into Bitcoin requires:
- A new address type accepted by the network.
- Soft fork or hard fork consensus depending on implementation.
- Signature size trade-offs: lattice-based signatures are significantly larger than ECDSA signatures (Dilithium signatures run to ~2.4 KB vs ~71 bytes for ECDSA), which has block-space and fee implications.
- Long transition period during which both old and new formats are valid.
Projects building quantum-resistant infrastructure today, rather than waiting for a Bitcoin-level consensus process, offer an early demonstration of what post-quantum key management looks like in practice. BMIC.ai, for example, is building a wallet and token architecture around NIST PQC-aligned lattice-based cryptography, designed specifically to protect holdings against Q-day scenarios — the kind of approach that illustrates what proactive rather than reactive quantum defence looks like.
---
What Should Bitcoin Holders Do Now?
The practical steps available to holders today are limited but meaningful:
- Avoid address reuse. Every modern wallet generates a new receive address per transaction. If yours does not, switch to one that does. This keeps your public key off-chain for as long as you never spend.
- Move funds out of P2PK outputs. If you hold coins in very old wallets from the 2009–2011 era and can access them, migrating to a modern address type eliminates the "always-exposed" risk.
- Use hardware wallets with modern address support. Native SegWit and Taproot addresses are not meaningfully more quantum-vulnerable than P2PKH for non-reused addresses; either is preferable to P2PK.
- Monitor NIST PQC developments. When Bitcoin Core developers begin formalising a post-quantum upgrade path, early adoption of new address formats will be the clearest protective action available.
- Understand that lost coins may not be recoverable. If you have genuinely lost access to keys, no quantum defence migration is available to you — the coins either sit at risk or, under a sunset-clause scenario, may eventually be rendered inaccessible to everyone, including attackers.
---
The Systemic Risk to Bitcoin's Price and Supply Model
Beyond individual holders, the macroeconomic implications of a quantum-enabled raid on dormant Bitcoin are significant. Bitcoin's fixed supply of 21 million, with approximately 3–4 million considered permanently lost, is priced into market expectations. If 500,000 or more BTC from Satoshi-era wallets suddenly re-entered circulation through quantum theft, the market impact would be severe, though analysts disagree sharply on magnitude and duration.
More dangerous than the price impact is the trust impact. Bitcoin's value proposition rests on the credibility of its security model. A demonstrated quantum breach, even of a single high-profile wallet, would force an immediate and disorderly governance response under the worst possible conditions. Preparation, not reaction, is the only rational posture.
Frequently Asked Questions
How many Bitcoin are vulnerable to a quantum computer attack right now?
Blockchain analysts estimate approximately 1 million BTC in early Pay-to-Public-Key (P2PK) outputs have their public keys permanently exposed on-chain. An additional 300,000 to 500,000 BTC sit in reused P2PKH addresses where the public key was revealed when funds were previously spent. These figures are approximations based on UTXO set analysis and vary by methodology.
Can a quantum computer steal Bitcoin today?
No. Current quantum processors are nowhere near the scale required. Breaking a 256-bit elliptic curve key with Shor's algorithm requires an estimated 1,500 to 4,000 error-corrected logical qubits. Today's machines operate with physical qubits that are orders of magnitude from that fault-tolerant threshold. Most credible estimates place cryptographically relevant quantum computers at least a decade away.
What is a P2PK output and why is it especially dangerous?
Pay-to-Public-Key (P2PK) is a legacy Bitcoin script format used in the earliest days of the network, including by Satoshi Nakamoto during mining. It embeds the full public key directly in the transaction output rather than hashing it. This means the public key is permanently visible on the blockchain without any additional spending step, making these coins quantum-vulnerable the moment a sufficiently powerful quantum computer exists.
What is the 'sunset clause' proposal for quantum-vulnerable Bitcoin?
A sunset clause is a proposed protocol rule under which Bitcoin UTXOs whose public keys are already exposed on-chain would be given a long migration window — potentially years — to move to quantum-resistant address formats. After a specified block height, unresponsive vulnerable UTXOs would be frozen or burned. Proponents argue this protects network integrity; opponents argue it violates Bitcoin's immutability and property-rights guarantees and requires an unprecedented governance consensus.
Does Taproot make Bitcoin more quantum-vulnerable?
Taproot (P2TR) outputs include a tweaked public key directly in the output script, which means the public key is visible on-chain without a spending transaction — similar in structure to the old P2PK format. This is a known trade-off in the Taproot design, accepted because quantum timelines were considered sufficiently distant. For long-term quantum resistance, P2TR outputs will eventually need migration to a post-quantum address standard.
What post-quantum cryptography options are being considered for Bitcoin?
The most discussed candidates are lattice-based signature schemes standardised by NIST in 2024, specifically CRYSTALS-Dilithium and FALCON. Both resist Shor's algorithm. The main challenge for Bitcoin integration is signature size: Dilithium signatures are roughly 2.4 KB versus 71 bytes for ECDSA, creating block-space and transaction fee implications that require careful protocol design before any fork could be adopted.