Lost Bitcoin and Quantum Computers: What Really Happens to Dormant Coins?

The question of lost bitcoin and quantum computers occupies a peculiar corner of cryptography: it sits at the intersection of economic theory, network security, and a technological threshold that does not yet exist but is advancing faster than most Bitcoin holders realise. Estimates consistently place between 3 and 4 million BTC in wallets that have not moved in over a decade, many of which expose their public keys directly on-chain. This article explains the precise mechanics of the threat, the categories of coin most at risk, and the governance debates now emerging inside the Bitcoin developer community.

Why Quantum Computing and Bitcoin Are on a Collision Course

Bitcoin's security rests on two cryptographic primitives: the SHA-256 hash function and the Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve. A classical computer cannot reverse-engineer a private key from a public key within any practical timeframe. A sufficiently powerful quantum computer running Shor's algorithm could, in theory, do exactly that.

The critical word is "sufficiently." Breaking a 256-bit elliptic curve key with Shor's algorithm is estimated to require somewhere between 1,500 and 4,000 error-corrected logical qubits, depending on the implementation. Today's most advanced quantum processors operate with physical qubits still far from fault-tolerant operation at that scale. Most credible research timelines place cryptographically relevant quantum computers (CRQCs) between 10 and 20 years away, though some industry insiders suggest 2030s is plausible for nation-state actors with classified programmes.

The implication for Bitcoin is not theoretical. It is a scheduled, foreseeable risk with very specific on-chain targets.

Grover's Algorithm vs Shor's Algorithm: Two Separate Threats

It is worth separating the two quantum threats because they affect different parts of the system:

The acute risk is Shor's, and its impact depends entirely on whether a given wallet's public key is visible on the blockchain.

---

The Exposed Public Key Problem: P2PK Coins

Not all Bitcoin addresses expose their public key equally. Understanding the address types is essential.

Pay-to-Public-Key (P2PK)

In Bitcoin's earliest days, Satoshi Nakamoto and early miners used Pay-to-Public-Key (P2PK) outputs. These scripts embed the full 65-byte uncompressed public key directly in the transaction output. No hashing step separates the public key from the blockchain record.

Every coin in a P2PK output is permanently quantum-vulnerable the moment a CRQC exists, regardless of whether it has ever been spent. The attacker needs only to read the blockchain, extract the public key, run Shor's algorithm, derive the private key, and broadcast a transaction.

Estimated P2PK exposure: Blockchain analysts estimate roughly 1 million BTC sit in P2PK outputs, a significant portion attributable to Satoshi-era mining rewards in the genesis block and the first few thousand blocks.

Pay-to-Public-Key-Hash (P2PKH) and the "Reuse" Problem

Standard P2PKH addresses (the familiar `1...` format) hash the public key using RIPEMD-160(SHA-256), so the public key is not directly visible — until the address is spent from. At the moment a holder signs a transaction, the public key is broadcast to the mempool and recorded on-chain.

This creates a narrower quantum attack window: a CRQC would need to derive the private key during the brief window between broadcast and block confirmation, currently around 10 minutes. That window attack is considered impractical for near-term quantum hardware. The deeper problem is address reuse. Any address that has received funds and then sent funds has its public key permanently on-chain. Reused addresses are fully exposed to a patient quantum attacker, not just one racing the mempool.

SegWit and Taproot

---

Categories of Dormant Bitcoin at Risk

CategoryEstimated BTCPublic Key Exposed?Quantum Risk Level
Satoshi-era P2PK (unspent)~1,000,000Yes, alwaysCritical
Reused P2PKH addresses~300,000–500,000Yes (spent from)Critical
P2PKH never-spent (no reuse)~1,500,000+NoLow (until spent)
Native SegWit / P2WPKHVariableNo (until spent)Low
Taproot (P2TR)GrowingYes (tweaked pubkey)Moderate–High
Exchange hot wallets (rotating)Large, rotatingVariesManaged

The figures above draw on publicly available blockchain analysis and are approximations. The key insight is that the quantum threat is not uniform: it is concentrated in specific, identifiable UTXO sets.

---

What Would a Quantum Attacker Actually Do?

A rational actor with a CRQC would not need to guess or brute-force anything. The process would be deterministic:

  1. Scan the UTXO set for all P2PK outputs and all addresses whose public keys appear in spending transaction inputs.
  2. Prioritise by balance. The largest-balance exposed UTXOs are the most economically attractive targets. Satoshi's estimated 1.1 million BTC in early mining outputs are the obvious crown jewel.
  3. Run Shor's algorithm against the target public key. With a sufficiently powerful CRQC, this process could take minutes to hours per key.
  4. Construct and broadcast a valid signed transaction to a controlled address, likely through a privacy relay to obscure origin.
  5. Repeat methodically down the balance list before the network can respond.

The network itself would have no cryptographic way to distinguish the attacker's valid signature from a legitimate owner's signature. This is the core of the threat — the attack is invisible at the protocol level until it is too late for any specific coin.

---

The Governance Debate: Freeze, Burn, or Do Nothing?

The prospect of quantum-enabled theft of dormant coins has prompted serious debate among Bitcoin developers and researchers. Three broad positions have emerged.

Option 1: Do Nothing

Proponents argue that Bitcoin's core value proposition is immutability and predictability. Confiscating or freezing UTXOs — even provably lost ones — sets a precedent that fundamentally undermines the property rights model Bitcoin was built on. Who decides which coins are "lost enough" to seize? The governance process required to reach consensus on such a rule could be more destabilising than the quantum threat itself.

Option 2: A Quantum-Safety Migration Deadline (Sunset Clause)

Several researchers, including those affiliated with the Bitcoin Optech and academic cryptography groups, have proposed a structured migration window. The idea: announce well in advance that after a specific block height, any UTXO whose public key is exposed and has not migrated to a quantum-resistant address format will be considered unspendable or will be quarantined.

This is sometimes called a "sunset clause" for vulnerable UTXOs. Arguments in favour:

Arguments against:

Option 3: Emergency Protocol Fork

A reactive approach: wait until a CRQC is demonstrably near-operational, then execute an emergency hard fork that either freezes vulnerable UTXOs or transitions the entire network to post-quantum signatures. Critics note that an emergency fork under adversarial time pressure is the worst possible environment for sound protocol design. Rushed changes introduce new bugs and attack surfaces.

Most serious Bitcoin researchers consider this option a fallback of last resort, not a plan.

---

The Post-Quantum Address Standard Question

The longer-term solution is replacing ECDSA with a quantum-resistant signature scheme. The US National Institute of Standards and Technology (NIST) finalised its first set of post-quantum cryptographic standards in 2024, including CRYSTALS-Dilithium (lattice-based signatures) and FALCON. These algorithms are designed to resist Shor's algorithm because they rely on mathematical problems — shortest vector problems on high-dimensional lattices — that quantum computers do not solve efficiently.

Integrating a new signature scheme into Bitcoin requires:

Projects building quantum-resistant infrastructure today, rather than waiting for a Bitcoin-level consensus process, offer an early demonstration of what post-quantum key management looks like in practice. BMIC.ai, for example, is building a wallet and token architecture around NIST PQC-aligned lattice-based cryptography, designed specifically to protect holdings against Q-day scenarios — the kind of approach that illustrates what proactive rather than reactive quantum defence looks like.

---

What Should Bitcoin Holders Do Now?

The practical steps available to holders today are limited but meaningful:

  1. Avoid address reuse. Every modern wallet generates a new receive address per transaction. If yours does not, switch to one that does. This keeps your public key off-chain for as long as you never spend.
  2. Move funds out of P2PK outputs. If you hold coins in very old wallets from the 2009–2011 era and can access them, migrating to a modern address type eliminates the "always-exposed" risk.
  3. Use hardware wallets with modern address support. Native SegWit and Taproot addresses are not meaningfully more quantum-vulnerable than P2PKH for non-reused addresses; either is preferable to P2PK.
  4. Monitor NIST PQC developments. When Bitcoin Core developers begin formalising a post-quantum upgrade path, early adoption of new address formats will be the clearest protective action available.
  5. Understand that lost coins may not be recoverable. If you have genuinely lost access to keys, no quantum defence migration is available to you — the coins either sit at risk or, under a sunset-clause scenario, may eventually be rendered inaccessible to everyone, including attackers.

---

The Systemic Risk to Bitcoin's Price and Supply Model

Beyond individual holders, the macroeconomic implications of a quantum-enabled raid on dormant Bitcoin are significant. Bitcoin's fixed supply of 21 million, with approximately 3–4 million considered permanently lost, is priced into market expectations. If 500,000 or more BTC from Satoshi-era wallets suddenly re-entered circulation through quantum theft, the market impact would be severe, though analysts disagree sharply on magnitude and duration.

More dangerous than the price impact is the trust impact. Bitcoin's value proposition rests on the credibility of its security model. A demonstrated quantum breach, even of a single high-profile wallet, would force an immediate and disorderly governance response under the worst possible conditions. Preparation, not reaction, is the only rational posture.

Frequently Asked Questions

How many Bitcoin are vulnerable to a quantum computer attack right now?

Blockchain analysts estimate approximately 1 million BTC in early Pay-to-Public-Key (P2PK) outputs have their public keys permanently exposed on-chain. An additional 300,000 to 500,000 BTC sit in reused P2PKH addresses where the public key was revealed when funds were previously spent. These figures are approximations based on UTXO set analysis and vary by methodology.

Can a quantum computer steal Bitcoin today?

No. Current quantum processors are nowhere near the scale required. Breaking a 256-bit elliptic curve key with Shor's algorithm requires an estimated 1,500 to 4,000 error-corrected logical qubits. Today's machines operate with physical qubits that are orders of magnitude from that fault-tolerant threshold. Most credible estimates place cryptographically relevant quantum computers at least a decade away.

What is a P2PK output and why is it especially dangerous?

Pay-to-Public-Key (P2PK) is a legacy Bitcoin script format used in the earliest days of the network, including by Satoshi Nakamoto during mining. It embeds the full public key directly in the transaction output rather than hashing it. This means the public key is permanently visible on the blockchain without any additional spending step, making these coins quantum-vulnerable the moment a sufficiently powerful quantum computer exists.

What is the 'sunset clause' proposal for quantum-vulnerable Bitcoin?

A sunset clause is a proposed protocol rule under which Bitcoin UTXOs whose public keys are already exposed on-chain would be given a long migration window — potentially years — to move to quantum-resistant address formats. After a specified block height, unresponsive vulnerable UTXOs would be frozen or burned. Proponents argue this protects network integrity; opponents argue it violates Bitcoin's immutability and property-rights guarantees and requires an unprecedented governance consensus.

Does Taproot make Bitcoin more quantum-vulnerable?

Taproot (P2TR) outputs include a tweaked public key directly in the output script, which means the public key is visible on-chain without a spending transaction — similar in structure to the old P2PK format. This is a known trade-off in the Taproot design, accepted because quantum timelines were considered sufficiently distant. For long-term quantum resistance, P2TR outputs will eventually need migration to a post-quantum address standard.

What post-quantum cryptography options are being considered for Bitcoin?

The most discussed candidates are lattice-based signature schemes standardised by NIST in 2024, specifically CRYSTALS-Dilithium and FALCON. Both resist Shor's algorithm. The main challenge for Bitcoin integration is signature size: Dilithium signatures are roughly 2.4 KB versus 71 bytes for ECDSA, creating block-space and transaction fee implications that require careful protocol design before any fork could be adopted.