Skip to main content

ARK Invest Quantifies Bitcoin's Quantum Threat: 34.6% of Supply at Risk, but the Clock Isn't Ticking Yet

· 9 min read
Dora Noda
Dora Noda
Software Engineer

A joint whitepaper from ARK Invest and Unchained has done something no one else has managed at this scale: it puts a precise number on how much Bitcoin is exposed to quantum computing attacks. The answer — 34.6% of total supply, roughly $240 billion at current prices — is simultaneously alarming and reassuring. Alarming because it quantifies what was previously handwaved as a distant hypothetical. Reassuring because the report also demonstrates that the remaining 65.4% of BTC sits safely behind cryptographic hashing that quantum computers cannot crack, and that the industry likely has a decade to prepare.

The Five Stages of Quantum Threat

Rather than treating quantum risk as a binary on/off switch, ARK and Unchained introduce a five-stage framework that maps quantum computing's progression from laboratory curiosity to cryptographic weapon.

Stage 1 — Commercial Utility (Today): Quantum computers solve optimization and simulation problems for pharma, logistics, and materials science. No cryptographic relevance. This is where we are in 2026.

Stage 2 — Cryptographic Relevance (Early Warning): Quantum machines begin breaking toy cryptographic problems — think small key sizes or deprecated algorithms. Bitcoin's secp256k1 elliptic curve remains untouched, but the writing appears on the wall.

Stage 3 — ECC Vulnerability (First Real Risk): A quantum computer running Shor's algorithm can derive a private key from a known public key — but slowly. At this stage, an attacker might need days or weeks to crack a single key. Bitcoin addresses that expose their public key become vulnerable, but the attack is impractical for most targets.

Stage 4 — Sub-Block-Time Cracking (Critical Threshold): The quantum machine breaks a private key faster than Bitcoin's 10-minute block time. This is the point where Bitcoin's monetary system faces an existential challenge: an attacker could see a transaction in the mempool, extract the sender's public key, derive the private key, and broadcast a competing transaction before the original confirms.

Stage 5 — Cryptographic Collapse: Quantum computers crack keys nearly instantaneously. Without post-quantum defenses, Bitcoin's security model breaks entirely.

ARK projects that we won't reach Stage 3 until the mid-2030s at the earliest. Today's most advanced quantum processors — Google's Willow chip at 105 qubits, IBM's Kookaburra at 1,386 qubits — sit orders of magnitude below the estimated 13 million logical qubits needed to break Bitcoin's encryption within a day.

What Exactly Is Vulnerable?

The 34.6% figure breaks down into three categories of exposed Bitcoin, each with a different risk profile:

Legacy P2PK Outputs (~1.7 million BTC): The earliest Bitcoin transactions used Pay-to-Public-Key (P2PK) scripts, which store the raw public key directly on the blockchain. Anyone can read these public keys today. This category includes Satoshi Nakamoto's estimated 1.1 million BTC — coins mined between 2009 and 2010 that have never moved. These are the most vulnerable addresses because the public key is permanently visible, giving a quantum attacker unlimited time to work.

Reused Addresses (~5 million BTC): When a user spends from an address, the transaction reveals the public key. If that address receives additional funds afterward, those new coins sit behind an exposed key. Address reuse, long discouraged by Bitcoin best practices, accounts for the largest share of quantum-vulnerable supply.

Taproot P2TR Outputs (~200,000 BTC): Taproot's key-path spending mechanism also exposes public keys in a way that a sufficiently powerful quantum computer could exploit. While Taproot is Bitcoin's newest address format, its design prioritized efficiency and privacy over quantum resistance.

What Remains Safe

The remaining 65.4% of Bitcoin supply sits in hashed address formats — primarily P2PKH (Pay-to-Public-Key-Hash) and P2SH (Pay-to-Script-Hash) — where the public key remains hidden behind a SHA-256 and RIPEMD-160 hash until the moment funds are spent. Quantum computers excel at breaking elliptic-curve cryptography via Shor's algorithm, but they offer only a quadratic speedup against hash functions via Grover's algorithm. Breaking SHA-256 with Grover's would still require roughly 2^128 operations — a number so vast that it remains effectively impossible even for quantum machines.

The key insight: if you hold Bitcoin in a standard hashed address and have never spent from it, your coins are quantum-safe under every realistic timeline.

BIP-360: Bitcoin's First Quantum Defense Proposal

The whitepaper highlights BIP-360 — now renamed Pay-to-Merkle-Root (P2MR) — as Bitcoin's first concrete step toward quantum resistance. Originally proposed as P2QRH (Pay-to-Quantum-Resistant-Hash) before being renamed for generality, BIP-360 introduces a new output type that removes Taproot's key-path spending vulnerability.

Here's what BIP-360 does and does not do:

What it does:

  • Removes the key-path spend that exposes public keys in Taproot transactions
  • Introduces Pay-to-Merkle-Root (P2MR) outputs that keep all spending conditions behind Merkle-tree commitments
  • Creates a framework where post-quantum signature schemes can be plugged in via future soft forks
  • Can be deployed as a backward-compatible soft fork, following the SegWit and Taproot adoption pattern

What it does not do:

  • It does not add post-quantum digital signatures itself — that requires a separate upgrade
  • It does not protect already-exposed P2PK and reused addresses
  • It does not force migration; existing address types continue working

The practical implication: BIP-360 is necessary infrastructure, not a complete solution. It prepares Bitcoin's address architecture for post-quantum signatures without mandating which specific algorithm (ML-DSA, SLH-DSA, or others) will ultimately be adopted.

The Race for Post-Quantum Signatures

NIST finalized its first three post-quantum cryptography standards in August 2024:

  • ML-KEM (FIPS 203): Lattice-based key encapsulation, derived from CRYSTALS-KYBER
  • ML-DSA (FIPS 204): Lattice-based digital signatures, derived from CRYSTALS-Dilithium
  • SLH-DSA (FIPS 205): Stateless hash-based signatures, derived from SPHINCS+

For Bitcoin, the signature standards matter most. ARK and Unchained's whitepaper recommends integrating ML-DSA or SLH-DSA through a soft fork upgrade. Each comes with trade-offs:

ML-DSA offers smaller signatures (~2.4 KB) and faster verification, making it more practical for Bitcoin's bandwidth constraints. However, lattice-based cryptography is newer and its long-term security assumptions are less battle-tested.

SLH-DSA relies on hash functions — the same mathematical primitive that already protects 65.4% of Bitcoin supply. It's conservative and well-understood, but signatures are much larger (~8-40 KB depending on parameters), which could bloat Bitcoin transactions significantly.

BTQ Technologies has already demonstrated a proof-of-concept Bitcoin implementation using ML-DSA, replacing vulnerable ECDSA signatures in their "Bitcoin Quantum Core Release 0.2." But moving from a testnet demo to network-wide consensus requires years of review, testing, and social coordination.

How Bitcoin Compares to Ethereum's Approach

While Bitcoin is methodically building toward quantum resistance through BIP-360 and future signature upgrades, Ethereum is taking a more aggressive timeline. Vitalik Buterin unveiled a quantum defense roadmap in February 2026 with several parallel tracks:

  • EIP-8141 enables accounts to switch signature schemes — including quantum-resistant ones — without changing wallets. Buterin confirmed it will ship with the Hegotá hard fork in late 2026.
  • A dedicated Post-Quantum Security team, established in January 2026, is researching hash-based replacements for BLS validator signatures.
  • The ETH2030 roadmap targets full quantum resistance with six signature schemes and recursive STARK aggregation.

The difference in approach reflects each network's philosophy. Bitcoin prioritizes caution and backward compatibility — any change must achieve overwhelming consensus and be deployable as a soft fork. Ethereum moves faster, leveraging its hard-fork culture and account abstraction to swap cryptographic primitives more aggressively.

Neither approach is strictly better. Bitcoin's conservative path reduces the risk of introducing new vulnerabilities through hasty upgrades. Ethereum's faster cadence means quantum protection arrives sooner but carries more implementation risk.

What Bitcoin Holders Should Do Today

The ARK/Unchained whitepaper, while sounding an alarm, is fundamentally optimistic. The quantum threat is real but distant, and Bitcoin's open-source development process has time to implement defenses. Still, individual holders can take steps now:

  1. Stop reusing addresses. Every time you spend from an address, you expose the public key. Use a new receiving address for every transaction — this is already best practice.

  2. Move coins out of legacy P2PK outputs. If you hold Bitcoin in very old address formats (those starting with "04" or uncompressed public keys), transfer them to modern P2SH or P2WPKH addresses.

  3. Monitor BIP-360 development. When the upgrade activates, migrate to P2MR outputs. This isn't urgent today but will become increasingly important as quantum hardware advances.

  4. Don't panic about Satoshi's coins. The 1.1 million BTC in early P2PK addresses cannot be moved (assuming lost keys). If quantum computers ever crack those keys, the community will face a governance question — not a technical one.

The Bigger Picture

The ARK/Unchained whitepaper arrives at a moment when quantum computing discourse has shifted from science fiction to strategic planning. Google's Willow chip proved below-threshold error correction in 2024. IBM's multi-processor quantum systems are pushing past 4,000 qubits. NIST's post-quantum standards are being deployed across internet infrastructure, with Chrome and Android defaulting to post-quantum TLS by mid-2026.

Bitcoin's 34.6% vulnerability window is large enough to demand action but small enough to be solvable. The five-stage framework gives the ecosystem a shared vocabulary for tracking progress. BIP-360 provides the architectural foundation. NIST standards offer the cryptographic tools.

The question isn't whether Bitcoin will become quantum-resistant — it's whether the community will coordinate the necessary upgrades before Stage 3 arrives. Given Bitcoin's track record of methodical, consensus-driven evolution through SegWit, Taproot, and beyond, the odds favor preparation over catastrophe.

The clock isn't ticking yet. But for the first time, we know exactly what we're counting down to.

BlockEden.xyz provides enterprise-grade blockchain API services and node infrastructure across multiple chains. As the industry prepares for the post-quantum transition, reliable infrastructure becomes even more critical. Explore our API marketplace to build on foundations designed to last.

Share on Twitter