← Satoshi Institute

Quantum Core Institute · exposure check

Is this Bitcoin quantum-exposed?

Quantum risk reduces to one question: is the public key that guards these coins already visible on-chain? If it is, a future quantum computer could derive the private key from it. Paste an address to check, or see how much of all Bitcoin already sits exposed.

Check an address

or learn by typeLegacy 1…P2SH 3…SegWit bc1q…Taproot bc1p…

The address is sent to mempool.space to read its public on-chain history. It is never stored, logged, or kept by this tool.

How much of all Bitcoin is exposed

By the same test — is the public key visible on-chain — applied across the whole supply.

69.8%
20.6%
9.6%
Protected at rest
13.99M BTC
No public key revealed yet. Safe until the coins are spent.
Operational exposure
4.12M BTC
Key revealed through address reuse or past spends. The actionable bucket.
Structural exposure
1.92M BTC
Key visible by design — P2PK and Taproot. Includes ~1.7M early/lost coins.

Roughly 6.04M BTC — 30.2% of issued supply — is exposed at rest (Glassnode, mid-2026). Estimates across Glassnode, Ark Invest/Unchained, Deloitte, and Chaincode Labs range 25–35% depending on method. Figures are sourced periodically, not scanned live.

Holding exposed coins?Reducing exposure is mostly about address hygiene and migration timing. The guide walks through it without the alarmism.Get the exposure guide →
Custodian or treasury?QCI runs a full quantum-readiness assessment across holdings and signing infrastructure, not one address at a time.Book a QCI briefing →

Educational tool, not a security audit. "Exposed" means the public key is visible on-chain, which is a prerequisite for a future quantum attack, not evidence that funds are at immediate risk — no computer can currently break secp256k1. Spending from any address briefly reveals its key in the mempool, so even protected coins carry exposure at the moment of spending. Not financial or security advice.

FAQ

Is quantum computing actually a threat to Bitcoin right now?

No — not today. But the timeline and the mechanism are specific enough to take seriously.

Bitcoin addresses use ECDSA (Elliptic Curve Digital Signature Algorithm) over the secp256k1 curve. Breaking a private key from a public key requires solving the elliptic curve discrete logarithm problem. A sufficiently powerful quantum computer running Shor's algorithm could do this. "Sufficiently powerful" currently means roughly 2,000–4,000 logical (error-corrected) qubits. The best quantum computers today have hundreds to low thousands of physical qubits with high error rates — logical qubit counts remain far below the threshold.

The distinction that matters — exposed vs. unexposed addresses:

  • A Bitcoin address that has never signed a transaction reveals only its hash, not its public key. A quantum computer cannot derive the private key from a hash alone (that would require breaking SHA-256/RIPEMD-160, which Grover's algorithm weakens but does not break in any practical sense).
  • An address that has signed at least one transaction has broadcast its public key to the chain. That public key is the input to Shor's algorithm. These addresses are the ones that become vulnerable when quantum capability crosses the threshold.

The harvest-now-decrypt-later risk:

Nation-state actors may be archiving blockchain data today with the intention of decrypting exposed keys once capability arrives. This is the threat model that makes "not a problem yet" an incomplete answer.

The checker identifies whether an address falls into the exposed category. It is not a definitive security audit — it is a first-order screening based on public on-chain data.

Methodology

Classifies a Bitcoin address by whether its public key is visible on chain, and estimates the quantum resources required to break it.

ECDSA Public Key
Q = d · G on secp256k1 (n = 256)
Shor Logical Qubits (n-bit key)
q_logical ≈ 2n + 3 (≈ 515 for secp256k1)
Toffoli Depth
O(n³)
Physical Qubits (surface code)
q_physical ≈ q_logical × 10³–10⁴
Grover Effective Security (hashed key)
s_eff = n ÷ 2 ≈ 80 bits
Exposure Window
W = max(0, T_CRQC − T_today)

P2PK and reused P2PKH expose the raw key Q and are vulnerable on a fault-tolerant quantum computer. Unspent P2PKH, P2WPKH, and P2TR key-path outputs commit only HASH160(pubkey) or a Taproot tweak — Grover alone leaves ~80 bits of security.

Get the signal, not the noise

Weekly Bitcoin cycle alerts — MVRV, Pi Cycle, and power-law position in one email.

Related tools

SIGNATURE

Harvest-now-decrypt-later timeline

When the clock actually runs out

TRAFFIC

DCA backtester

BTC vs equities, any start date

TRAFFIC

Bitcoin vs. Everything

Compare BTC against gold, major indices and top tech stocks