Skip to main content

Bitcoin's Quantum Bifurcation: 6.7M BTC Vulnerable and Two Allocator Camps

· 14 min read
Dora Noda
Dora Noda
Software Engineer

Roughly 6.7 million BTC sit in addresses that have already broadcast their public keys to the world. That is about a third of the total supply, including the ~1.1 million coins attributed to Satoshi Nakamoto. A sufficiently capable quantum computer could, in principle, derive the private key for any of them.

Two of the most-cited research desks in crypto have looked at exactly the same data and reached opposite conclusions about what allocators should do this year.

Capriole Investments founder Charles Edwards argues the community must ship a quantum fix by the end of 2026 or absorb a 20% valuation discount, with downside below $50,000 by 2028 if the network drags its feet. Grayscale Research, in its 2026 Digital Asset Outlook: Dawn of the Institutional Era, calls quantum risk a "red herring" — real but distant, unlikely to move 2026 prices, and overshadowed by the institutional capital wave reshaping the asset class.

This isn't a debate about whether the threat is real. Both camps agree it is. It's a debate about when the cost shows up in the price — and that question now drives two completely different allocation playbooks.

The Number Everyone Is Arguing About: 6.7 Million BTC

Quantum vulnerability in Bitcoin is not uniform. The danger depends on what kind of address holds your coins, and whether their public key has ever appeared on-chain.

The breakdown that anchors most of the 2026 discourse looks roughly like this:

  • ~1.72 million BTC in Pay-to-Public-Key (P2PK) outputs. These are the original 2009-era addresses, including the bulk of Satoshi's stash. P2PK exposes the public key directly. There is no recipient to migrate the coins to a quantum-safe address — many of these holders are believed to be dead or to have lost their keys.
  • ~4.9 million BTC in reused addresses across other formats. Once you spend from a Pay-to-Public-Key-Hash (P2PKH), Pay-to-Witness-Public-Key-Hash (P2WPKH), or Taproot output, the public key is visible in the witness data. If the holder reuses that address — or leaves a balance behind after first spend — the public key is exposed for the rest of the network's history.
  • ~200,000 BTC scattered across other reused or partially exposed categories.

Add it up: roughly 6.8 million BTC, or about 34% of the circulating supply, lives in addresses that a Shor-capable quantum computer could, in theory, drain. The remaining two-thirds — sitting in unspent P2PKH/P2WPKH/Taproot outputs whose public keys have never been broadcast — are protected by an additional layer of hashing that quantum computers cannot break with the same algorithm.

That asymmetry is what makes the debate so structurally weird. Quantum risk in Bitcoin is not "the network breaks." It is "early adopters and sloppy address-reusers get drained, while careful single-use HODLers are fine." The market has to price a threat that is concentrated in a specific cohort of coins, not spread evenly across the supply.

Edwards' Case: Price the Risk Now, Ship the Fix Faster

Charles Edwards has been the loudest institutional voice on the bear side of the quantum debate. His thesis, articulated across a series of late-2025 and 2026 talks, has three parts.

First, the discount is already there. Edwards argues that if you took an honest discounted-cash-flow style approach to Bitcoin's "stock" of vulnerable supply versus its "flow" of new issuance, the asset already deserves a markdown of roughly 20% relative to where it would trade if quantum risk were zero. In his framing, every month the network goes without a clear quantum-resistant migration path, that discount widens.

Second, the timeline is shorter than people think. Edwards leans on Deloitte's analysis estimating ~25% of BTC is exposed, and stitches it to the rapid progression of public quantum hardware. Project Eleven's Q-Day Prize — awarded April 24, 2026 to researcher Giancarlo Lelli for breaking a 15-bit elliptic curve key on a publicly accessible quantum computer — is the data point he keeps returning to. Steve Tippeconnic's 6-bit demonstration in September 2025 was the first public break; Lelli's 15-bit result is a 512x improvement in seven months. The exponential is not theoretical.

Third, banks won't save Bitcoin. Edwards' more pointed argument is that Bitcoin will be hit before traditional finance because banks have already begun migrating to post-quantum encryption schemes — and even when banks fail, they have legal mechanisms to claw back fraudulent transfers. Bitcoin has no such mechanism. A successful quantum drain on a Satoshi-era P2PK address would be irreversible, public, and existentially confidence-shattering for the asset.

His prescribed action: ship a quantum-resistant migration path before the end of 2026. If Bitcoin doesn't, Edwards' worst-case scenario for 2028 puts BTC below $50,000 — not because quantum computers will actually break ECDSA by then, but because the expectation of an unfixable cliff will be priced in well before the cliff arrives.

Grayscale's Case: Real, But Not for 2026

Grayscale's 2026 Digital Asset Outlook takes the opposite stance. Quantum computing is acknowledged as a long-term consideration, but the firm's framing is unambiguous: it is a "red herring" for 2026 markets.

The Grayscale argument rests on three load-bearing claims.

One: the hardware isn't there. A sufficiently powerful quantum computer to derive private keys from public keys is not expected before 2030 at the earliest. Google's own published whitepapers in April 2026 estimated that a 256-bit ECC attack would require under 500,000 physical qubits — and Willow, Google's flagship chip from late 2024, has 105. A subsequent Caltech and Oratomic paper brought the requirement as low as ~10,000 qubits in a neutral-atom architecture, but even that is roughly two orders of magnitude beyond what any public quantum system has demonstrated.

Two: developer response is real. BIP-360, which introduces Pay-to-Merkle-Root (P2MR) — a new Bitcoin output type that uses Dilithium (now NIST-standardized as ML-DSA) post-quantum signatures and hides public keys from quantum attack — was merged into Bitcoin's official BIP repository on February 11, 2026. BTQ Technologies released the first working testnet implementation (v0.3.0) the following month. The migration runway exists; it just hasn't activated.

Three: 2026 catalysts dominate. Grayscale's outlook frames 2026 as the start of "the institutional era." Spot ETF AUM has crossed $87 billion. The CLARITY Act is on a May Senate Banking markup track. SEC Chair Paul Atkins has shipped a four-category token taxonomy that opens institutional-grade flow into the asset class. Against that backdrop, Grayscale argues, a 2030+ tail risk is the wrong thing to underweight on.

The implicit allocator instruction is "stay long, ignore the noise." Grayscale's position is not that quantum risk is fake — the firm explicitly notes Bitcoin and most blockchains will eventually need post-quantum upgrades. The position is that 2026's price discovery will be driven by ETF flows, regulatory clarity, and macro liquidity, not by hypothetical 2030 hardware.

The Two Allocator Playbooks

Boil the camps down to operating instructions and the divergence becomes stark.

Edwards-camp playbook (defensive):

  • Front-load migration tooling reviews now. Custodians stress-test BIP-360 wallets on testnet. Cold-storage providers publish post-quantum migration roadmaps before EOY 2026.
  • Pre-emptively re-spend exposed cold-storage UTXOs into fresh single-use addresses to bury public keys back behind hashes.
  • Pay the real cost today — operational complexity, audit overhead, possibly fee spikes during a coordinated migration window — to avoid catastrophic tail risk in 2028-2030.
  • Treat any 2026 BTC weakness as partially attributable to quantum-overhang, not just macro.

Grayscale-camp playbook (opportunistic):

  • Continue sizing BTC against ETF flow models, regulatory catalysts, and four-year-cycle decoupling theses.
  • Assume orderly, EF-style protocol upgrade cadence resolves the migration during the 2027-2030 window.
  • Don't pay up for "quantum-resistant infrastructure" exposure today; the multiples don't justify it on 2026 cash flows.
  • Keep an eye on quantum hardware milestones, but treat them as monitoring, not allocation, signals.

Neither playbook is unreasonable on its own terms. The split exists because the two camps disagree on the asymmetry — specifically, whether the cost of frontloaded defense is small relative to the payoff if Edwards is right, or large relative to the payoff if Grayscale is right.

The Governance Question Both Camps Are Avoiding

The most uncomfortable part of the 2026 quantum debate isn't the hardware timeline. It is the governance question raised by BIP-361.

On April 15, 2026, Jameson Lopp and five co-authors published BIP-361 — "Post Quantum Migration and Legacy Signature Sunset" — a proposal that would, after activation through a soft fork, force a deadline on quantum-vulnerable address holders. Phase A (~160,000 blocks, roughly three years post-activation) stops the network from accepting new sends to vulnerable legacy address types. Phase B (another ~two years later) rejects any transaction signed with legacy ECDSA or Schnorr from those addresses. Funds in unmigrated wallets become effectively frozen.

The technical case is straightforward: if you don't sunset legacy signatures, a single quantum drain can confidence-shock the entire network. The political case is brutal. "Whoever holds the keys controls the coins — without exception" has been a load-bearing Bitcoin promise since 2009. BIP-361 puts an expiry date on that promise.

Adam Back's counterproposal — articulated at Paris Blockchain Week — is that quantum-resistant features should be added as optional upgrades, not forced freezes. Current quantum computers, Back has said publicly, "remain essentially lab experiments," and a forced sunset of dormant holdings (most prominently Satoshi's) would set a precedent that overrides Bitcoin's core property-rights guarantee.

Across developer forums and X, BIP-361 has been called "authoritarian" and "predatory" by critics who argue that the proposal — even if technically necessary — undermines the asset's most marketable property to institutional buyers: that no one, not even the developers, can take your coins.

This is the part of the debate Edwards and Grayscale don't directly address. Edwards' camp wants a fix; BIP-361 is the most concrete fix on the table; but BIP-361 is also the policy choice most likely to fracture the Bitcoin community along ideological lines and produce a contentious fork. Grayscale's camp wants to wait; but waiting compresses the runway for any soft-fork debate to play out before the threat materializes.

The Read-Through for Infrastructure

Whichever camp is right, the migration runway is going to produce a measurable workload signature for blockchain infrastructure providers. Quantum-resistance testing and pre-emptive migration are not the same RPC traffic shape as DeFi memecoin spam.

Custodian-grade migration testing tends to generate:

  • Heavy archive-node reads — full UTXO scans to identify exposed public keys across an institutional book.
  • Sustained signature-scheme attestation traffic — verifying that newly-deployed P2MR outputs validate correctly under both legacy and post-quantum verifiers.
  • Bulk address-format scans — institutional wallets running batch checks on which UTXOs sit in vulnerable formats.
  • Long-running trace queries on settlement events — the kind of debug-level workload that mainstream commodity RPC providers are not optimized for.

This is workload that lands on the Edwards-camp side first. Grayscale-camp allocators won't generate it until they have to. So the early signal that quantum migration is becoming operational, not theoretical, will show up as a shift in custodian RPC traffic patterns long before it shows up in BTC spot price.

BlockEden.xyz operates institutional-grade RPC and indexer infrastructure across Bitcoin, Sui, Aptos, Ethereum, and 25+ other chains — including the archive-node and trace workloads that quantum-migration testing tends to generate. If your team is stress-testing post-quantum tooling on Bitcoin or any other asset, explore our API marketplace for infrastructure built for non-trivial workloads.

What to Watch Through End of 2026

The Edwards-versus-Grayscale split is a real allocator disagreement, but it will be resolved one way or the other by a small handful of milestones over the next eight months.

Quantum hardware: Watch for the next Q-Day Prize award. A 20-bit or 24-bit ECC break on public hardware would make the exponential too obvious to ignore. Conversely, no further public progress through end of 2026 lengthens Grayscale's runway.

BIP-361 activation path: Does the proposal pick up enough developer support to enter a real activation discussion, or does Adam Back's optional-upgrades counter-proposal carry the room? Either outcome materially shifts the migration timeline.

Custodian behavior: Coinbase Custody, BitGo, Anchorage, and Fidelity Digital Assets all publish (or don't publish) post-quantum readiness statements. The first major custodian to commit to BIP-360 wallets in production is the leading indicator that Edwards' urgency is bleeding into operational decisions.

Spot price reaction: If BTC underperforms its ETF-flow model in 2026 by more than ~15%, Edwards' "quantum discount" framing gets harder to dismiss. If BTC matches or exceeds Grayscale's first-half all-time-high projection, the red-herring framing wins by default.

The asymmetry to watch is this: Edwards needs to be right eventually for his case to land, even if 2026 prices don't reflect it. Grayscale needs to be right now — every month BTC marches higher without an obvious quantum overhang strengthens the red-herring frame, but a single confidence-shock event could erase years of that thesis in a week.

That's the bifurcation. Two desks, the same data, opposite playbooks. The market will pick a side before the quantum computers do.

Sources

Share on Twitter