An address becomes “quantum‑vulnerable” once its public key becomes public knowledge. A cryptographically relevant quantum computer (CRQC) could then feed that public key into Shor’s algorithm and derive the private key.
- On-chain exposure: The full public key is written to the blockchain forever. This is typically due to the use of P2PK, P2MS (multi-sig), P2TR (Taproot), and address/script reuse.
- Mempool exposure: Spending a UTXO requires broadcasting the public key. An attacker must recover the key before the transaction is minded (~10 minutes).
- Off-chain exposure: e.g. signing messages with your private key and sharing that signature online, etc.
Numbers 1 and 3 fall into an attack vector category known as "Harvest-Now, Decrypt-Later", meaning a quantum adversary can collect exposed keys today and spend months or years to derive the matching private keys once hardware catches up.
To steal funds in the mempool, number 2, a CRQC would have to derive the private key before the next block (~10 min) to redirect the in-flight transaction. After the transaction confirms, the output linked to that key is fully spent, so-assuming you haven’t reused the address–that public key no longer guards any unspent coins (if the same public key has other UTXOs because of address reuse, those balances remain exposed).
Full name: Pay-To-Public-Key
Address example: Sometimes blockchain explorers display addresses for P2PK locking scripts, however, a P2PK does not have an official address.
Exposure: the public key is exposed in the ScriptPubKey of the locking script (i.e UTXO creation).
Risk: Bitcoin held in P2PK address scripts are vulnerable to quantum attacks immediately upon receiving Bitcoin.
Notes: rare today; mostly seen in 2009–2011 coinbase outputs (≈ 1.7M bitcoins).
Full name: Pay-To-Multi-Sig
Address example: Sometimes blockchain explorers display addresses for P2MS locking scripts, however, a P2MS does not have an official address. A P2MS is simply a set of M public keys where N of M of those public keys must authorize a transaction spend.
Exposure: each public key is exposed in the ScriptPubKey of the locking script (i.e UTXO creation).
Risk: Bitcoin held in P2MS address scripts are vulnerable to quantum attacks immediately upon receiving Bitcoin.
Notes: uncommon–most multisig transactions are wrapped in P2SH or P2WSH instead.
Full name: Pay-To-Public-Key-Hash
Address example: 1AnTweDeSrSWCit2MuciULWaZ5bwZ1LNZC (always starts with 1)
Exposure: With P2PKH, the public key is hashed until the UTXO is spent. On spend, the public key is included in the ScriptSig of the spend transaction.
Risk:
- Mempool: while a transaction from that address is in the mempool.
- On-chain: if you reuse the address after spending from it. This happens far more regularly than you might think. Any address here beginning with a
1is a P2PKH address that is vulnerable to quantum attack due to address reuse. - Off-chain: if you sign a message using the private key for this address, the public key will be available within the signature, making the address quantum-vulnerable if this signature is shared or published online.
Notes: the dominant address type until SegWit (2017).
Full name: Pay-To-Witness-Public-Key-Hash i.e SegWit
Address example: bc1qxq93grfrnee46kheedpp8xkckutksx0wxw03ql (always starts with bc1q)
Exposure: Similarly to P2PKH, the public key is hashed until the UTXO is spent. On spend, the public key is included in the witness field of the spend transaction.
Risk:
- Mempool: while a transaction from that address is in the mempool.
- On-chain: if you reuse the address after spending from it. This happens far more regularly than you might think. Any address here beginning with a
bc1qis a P2PKH address that is vulnerable to quantum attack due to address reuse. - Off-chain: if you sign a message using the private key for this address, the public key will be available within the signature, making the address quantum-vulnerable if this signature is shared or published online.
Notes: most popular address type as of 2025.
Full name: Pay-To-Taproot i.e Taproot
Address example: bc1pn7dxdhk8sts6kva90usdy3lhlsukarlt7hk4qqnqpmvzmj3ykt7qgfqxc6 (always starts with bc1p)
Exposure: With P2TR, the address directly encodes a 32 byte x‑only portion of the public key. As such, the full public key is trivial to reconstruct from an address alone.
Risk: Bitcoin held in P2TR address scripts are vulnerable to quantum attacks immediately upon receiving Bitcoin.
Full name(s): Pay-To-Script-Hash & Pay-To-Witness-Script-Hash
Address example (P2SH): 3QUGT2g2oAvNzr6sFrJhNUsGtbqBzgnuoY
Address example (P2WSH): bc1qpk9552llma58qqkrfnwenyll30a8n809s6frjcvcsz7jh08q5dxqsgds08
Exposure: The full redeem script is revealed, along with any public keys, when spending the UTXO.
Risk:
- Mempool: while a transaction from that address is in the mempool.
- On-chain: if you reuse the same script after spending from it (similar to address reuse). Note that due to the variability of scripts, doing one transaction from the address might not always reveal a public key, but in those cases the transaction would reveal something else that results in the address being vulnerable.
- Off-chain: This risk exists only when the redeem or witness script actually contains ECDSA keys–for example, the individual keys inside an M-of-N multisig wrapped in P2SH or P2WSH. If any of those keys signs a message off-chain and the signature is published, the associated public key becomes public. An attacker must still link that key to its script hash, but once the redeem/witness script is revealed–either because you disclose it directly or when you later spend the UTXO–the connection is obvious, and every output secured by that script becomes quantum-vulnerable.
- Use the latest wallet software.
- Use P2WPKH for single sig and P2WSH for multisig.
- Never reuse an address or script hash.
- Also, let’s stop calling it a Bitcoin public key.