Are legacy P2PKH addresses quantum safe?
Only if never spent from. A P2PKH output script reveals a HASH160, not the public key. As soon as you spend, the public key is broadcast on-chain and the address becomes part of the quantum-exposed set.
A P2PKH output script is OP_DUP OP_HASH160 <20-byte hash> OP_EQUALVERIFY OP_CHECKSIG. Until the owner authors a spending transaction, the network has never seen the full public key. Reversing a HASH160 to a key is not feasible — Grover's algorithm gives at most a square-root speedup, leaving 80-bit security, which is far above any near-term capability.
Spending changes everything. The signature script reveals the full secp256k1 public key. A future quantum attacker with Shor's algorithm could derive the private key from that pubkey. Address reuse compounds the risk: every additional UTXO sitting at that address becomes claimable.
The practical implication: legacy holders who have never spent are in the strongest quantum posture in Bitcoin today. Holders who reuse addresses are in the weakest.
Related questions
Does receiving to a P2PKH address expose the public key?
No — receiving only reveals the address (the HASH160). The public key is broadcast only when you spend. That is why once-and-done addresses are the standard cold-storage hygiene: receive, hold, sweep in a single later transaction.
What about Satoshi's coins?
The earliest mined blocks paid to P2PK (raw public key) outputs, not P2PKH. Those public keys are already on-chain. That's roughly 1.7M BTC across the early coinbase rewards that are quantum-exposed by construction and have never moved.