What makes an address "quantum-vulnerable"?

An address becomes “quantum‑vulnerable” once its public key becomes public knowledge. A cryptographically relevant quantum computer (CRQC) could then feed that public key into Shor’s algorithm and derive the private key.

When is a Bitcoin public key exposed?

  1. On-chain exposure: The full public key is written to the blockchain forever. This is typically due to the use of P2PK, P2MS (multi-sig), P2TR (Taproot), and address/script reuse.
  2. Mempool exposure: Spending a UTXO requires broadcasting the public key. An attacker must recover the key before the transaction is minded (~10 minutes).
  3. Off-chain exposure: e.g. signing messages with your private key and sharing that signature online, etc.

Numbers 1 and 3 fall into an attack vector category known as "Harvest-Now, Decrypt-Later", meaning a quantum adversary can collect exposed keys today and spend months or years to derive the matching private keys once hardware catches up.

To steal funds in the mempool, number 2, a CRQC would have to derive the private key before the next block (~10 min) to redirect the in-flight transaction. After the transaction confirms, the output linked to that key is fully spent, so-assuming you haven’t reused the address–that public key no longer guards any unspent coins (if the same public key has other UTXOs because of address reuse, those balances remain exposed).

Address types and their risk profile:

P2PK

Full name: Pay-To-Public-Key

Address example: Sometimes blockchain explorers display addresses for P2PK locking scripts, however, a P2PK does not have an official address.

Exposure: the public key is exposed in the ScriptPubKey of the locking script (i.e UTXO creation).

Risk: Bitcoin held in P2PK address scripts are vulnerable to quantum attacks immediately upon receiving Bitcoin.

Notes: rare today; mostly seen in 2009–2011 coinbase outputs (≈ 1.7M bitcoins).

P2MS

Full name: Pay-To-Multi-Sig

Address example: Sometimes blockchain explorers display addresses for P2MS locking scripts, however, a P2MS does not have an official address. A P2MS is simply a set of M public keys where N of M of those public keys must authorize a transaction spend.

Exposure: each public key is exposed in the ScriptPubKey of the locking script (i.e UTXO creation).

Risk: Bitcoin held in P2MS address scripts are vulnerable to quantum attacks immediately upon receiving Bitcoin.

Notes: uncommon–most multisig transactions are wrapped in P2SH or P2WSH instead.

P2PKH

Full name: Pay-To-Public-Key-Hash

Address example: 1AnTweDeSrSWCit2MuciULWaZ5bwZ1LNZC (always starts with 1)

Exposure: With P2PKH, the public key is hashed until the UTXO is spent. On spend, the public key is included in the ScriptSig of the spend transaction.

Risk:

  • Mempool: while a transaction from that address is in the mempool.
  • On-chain: if you reuse the address after spending from it. This happens far more regularly than you might think. Any address here beginning with a 1 is a P2PKH address that is vulnerable to quantum attack due to address reuse.
  • Off-chain: if you sign a message using the private key for this address, the public key will be available within the signature, making the address quantum-vulnerable if this signature is shared or published online.

Notes: the dominant address type until SegWit (2017).

P2WPKH

Full name: Pay-To-Witness-Public-Key-Hash i.e SegWit

Address example: bc1qxq93grfrnee46kheedpp8xkckutksx0wxw03ql (always starts with bc1q)

Exposure: Similarly to P2PKH, the public key is hashed until the UTXO is spent. On spend, the public key is included in the witness field of the spend transaction.

Risk:

  • Mempool: while a transaction from that address is in the mempool.
  • On-chain: if you reuse the address after spending from it. This happens far more regularly than you might think. Any address here beginning with a bc1q is a P2PKH address that is vulnerable to quantum attack due to address reuse.
  • Off-chain: if you sign a message using the private key for this address, the public key will be available within the signature, making the address quantum-vulnerable if this signature is shared or published online.

Notes: most popular address type as of 2025.

P2TR

Full name: Pay-To-Taproot i.e Taproot

Address example: bc1pn7dxdhk8sts6kva90usdy3lhlsukarlt7hk4qqnqpmvzmj3ykt7qgfqxc6 (always starts with bc1p)

Exposure: With P2TR, the address directly encodes a 32 byte x‑only portion of the public key. As such, the full public key is trivial to reconstruct from an address alone.

Risk: Bitcoin held in P2TR address scripts are vulnerable to quantum attacks immediately upon receiving Bitcoin.

P2SH & P2WSH

Full name(s): Pay-To-Script-Hash & Pay-To-Witness-Script-Hash

Address example (P2SH): 3QUGT2g2oAvNzr6sFrJhNUsGtbqBzgnuoY

Address example (P2WSH): bc1qpk9552llma58qqkrfnwenyll30a8n809s6frjcvcsz7jh08q5dxqsgds08

Exposure: The full redeem script is revealed, along with any public keys, when spending the UTXO.

Risk:

  • Mempool: while a transaction from that address is in the mempool.
  • On-chain: if you reuse the same script after spending from it (similar to address reuse). Note that due to the variability of scripts, doing one transaction from the address might not always reveal a public key, but in those cases the transaction would reveal something else that results in the address being vulnerable.
  • Off-chain: This risk exists only when the redeem or witness script actually contains ECDSA keys–for example, the individual keys inside an M-of-N multisig wrapped in P2SH or P2WSH. If any of those keys signs a message off-chain and the signature is published, the associated public key becomes public. An attacker must still link that key to its script hash, but once the redeem/witness script is revealed–either because you disclose it directly or when you later spend the UTXO–the connection is obvious, and every output secured by that script becomes quantum-vulnerable.

Stay safe out there folks