Why this paper matters
Quantum risk to Bitcoin usually arrives as a vibe: a Nobel physicist warning here, a Bernstein note there, a headline timed to a bull run. What has been missing is a serious, numbers-first assessment of what is actually at stake, who is at stake, and what the transition path looks like if and when a cryptographically relevant quantum computer (CRQC) arrives.
Presidio Bitcoin, a non-profit Bitcoin research hub in the Bay Area, has now produced exactly that. The group's new Quantum Readiness paper, released this week, is pitched as a living document on Bitcoin's exposure, mitigation menu, upgrade paths, and plausible transition scenarios. It is the most concrete public inventory of the problem yet.
The core numbers
The headline figure is blunt. If a CRQC existed today, roughly 6.5 million BTC — about one-third of total supply — would be immediately vulnerable to key extraction from exposed public keys.
Two things make that number less scary than it sounds, and one thing makes it scarier.
Less scary: the 6.5 million is not evenly distributed across self-custody holders. More than two-thirds of the exposure — about 4.5 million BTC — comes from address reuse, much of it concentrated among a small number of large custodians that reuse addresses for operational simplicity. Fixing that is a policy decision at a handful of firms, not a network-wide migration.
Also less scary: an estimated 1.72 million BTC sits in legacy pay-to-pubkey (P2PK) outputs from the Satoshi era. Most of those coins are presumed lost. They are vulnerable in theory and economically meaningful in aggregate, but they are not someone's retirement stack.
Scarier: Presidio's survey of expert opinion puts the probability of a cryptographically relevant quantum computer emerging between 2030 and 2035 at roughly 50%. That is not a fringe timeline. That is within the planning horizon of anyone thinking about Bitcoin as a multi-decade asset.
What a migration actually looks like
The paper pushes back against the assumption that a quantum upgrade would require a chaotic hard fork. The preferred path is a soft fork that introduces post-quantum signature schemes alongside existing ECDSA and Schnorr signatures, letting users migrate voluntarily to new address types before any credible quantum threat materialises.
On network capacity, Presidio estimates that roughly 90% of Bitcoin's value could be moved to quantum-safe addresses in about four days if 25% of block space were allocated to the migration. That is a plausible, bounded operation, not a years-long crisis.
The paper also makes a useful distinction between two threat models. The first is a "harvest now, decrypt later" problem for coins with exposed public keys — every reused address, every spent P2PKH output, every P2PK output from the early chain. The second is a live attack on in-flight transactions, which requires a CRQC to derive a key and publish a competing transaction faster than the network can confirm the original. The first problem is urgent and concrete. The second is harder and requires much more capable hardware.
What holders should actually do
Nothing dramatic. The realistic action items from the paper are unexciting and exactly right:
- Stop reusing addresses. Modern wallets do this for you. If you are still sweeping to the same address, change that habit.
- Prefer wallets and custodians that support Taproot (P2TR), which hides public keys until spend.
- Watch for post-quantum signature proposals entering Bitcoin Core's review pipeline over the next few years.
For long-term holders, the quantum question belongs in the same mental bucket as hardware wallet seed storage and inheritance planning: a problem to solve slowly and well, not one to panic-trade around.
Bitcoin Gate Take
The most important thing about this paper is not the 6.5 million number — it is that someone finally did the work to separate real exposure from vibes. The risk is concentrated in a small number of custodial practices and long-dead coins, not in the typical self-custody stack. And the migration path is a soft fork, which Bitcoin has executed before without drama.
What to watch next is whether large exchanges and custodians publicly commit to ending address reuse in 2026. That alone would take millions of BTC off the quantum exposure list, years before any CRQC is close to real. If they drag their feet, the concentration of risk inside a handful of institutions becomes a story in itself.