Quantum vulnerability of Bitcoin addresses

What “vulnerable” means: An address is “quantum‑vulnerable” if its exposed public key can be fed into Shor’s algorithm to recover the private key.

Two attack vectors:

1. On-chain exposure attack: Public keys committed to the blockchain indefinitely. This is typically due to the use of P2PK, P2MS, P2TR (Taproot), address reuse or off-chain protocols (Proof-of-Reserves).
2. Mempool exposure attack: Must recover the key before a transaction confirms (~10 mins). Requires a Cryptographically Relevant Quantum Computer (CRQC) that breaks a 256‑bit EC key in <10 min.

Address types and risks:

P2PK

Sometimes blockchain explorers display addresses for P2PK locking scripts, however, a P2PK does not have an official address (block explorers will treat P2PK as if it was P2PKH for ease of viewing)

• Exposure: public key is exposed directly in the ScriptPubKey of the output (i.e UTXO creation).
• Risk: on‑chain + mempool.
• Notes: rare today; mostly seen in 2009–2011 coinbase outputs (≈ 1.7M bitcoins).

P2MS

• Exposure: each public key is exposed in the ScriptPubKey of the output (i.e UTXO creation).
• Risk: on‑chain + mempool.
• Notes: uncommon—most multisig transactions are wrapped in P2SH or P2WSH instead.

P2PKH

e.g: 1AnTweDeSrSWCit2MuciULWaZ5bwZ1LNZC

• Exposure: public key is exposed in the ScriptSig when spending (used as an input).
• Risk:
• • Mempool: always.
  • On-chain: if you reuse the address. This happens far more regularly than you might think. Any address here beginning with a 1 is vulnerable to an on-chain exposure attack.
• Notes: the dominant address type until SegWit (2017).

P2WPKH (SegWit)

e.g: bc1qxq93grfrnee46kheedpp8xkckutksx0wxw03ql

• Exposure: public key is exposed in the witness field when spending (used as an input).
• Risk: same as P2PKH (Any address here beginning with a bc1q is vulnerable to on-chain exposure attack).
• Notes: most popular address type as of 2025.

P2TR (Taproot)

e.g: bc1pn7dxdhk8sts6kva90usdy3lhlsukarlt7hk4qqnqpmvzmj3ykt7qgfqxc6

• Exposure: address encodes a 32 byte x‑only portion of the public key; full public key is trivial to reconstruct from an address alone.
• Risk: on‑chain + mempool.

P2SH & P2WSH

e.g: 3QUGT2g2oAvNzr6sFrJhNUsGtbqBzgnuoY

e.g: bc1qpk9552llma58qqkrfnwenyll30a8n809s6frjcvcsz7jh08q5dxqsgds08

• Exposure: redeem script (with any public keys) is revealed when spending (used as an input).
• Risk:
• • Mempool: always.
  • On-chain: if you reuse the same script hash (akin to address reuse)
• Notes: mostly used for multi-sig.

Stay safe out there folks

• use latest wallet software.
• use P2WPKH or P2WSH where possible.
• never reuse an address or script hash.
• also, let’s stop calling it a Bitcoin public key.