34% of Bitcoin Addresses Are at Risk — The Structural Weakness Quantum Computers Could Break

-

3-Point Summary

  • Bitcoin addresses become quantum‑vulnerable once spent, because their public keys are exposed on‑chain and can be attacked by future quantum computers.
  • BIP‑361 is not a PQ address specification but a phased procedure to retire quantum‑vulnerable scripts and prepare the network for a PQ transition.
  • ZK‑based authentication could theoretically offer strong quantum resistance, but Bitcoin’s Script limits, block size constraints, and verification costs make it impractical today.
Bitcoin Quantum Security Image

As quantum computing accelerates, Bitcoin’s security model faces its most critical turning point.

Bitcoin’s Quantum Vulnerabilities, BIP‑361, and ZK-Based Alternatives

※ This post is an initial version and will be updated to the final Daily Crypto Times (DCT) format in a day.

As the era of quantum computing approaches faster than many expected, the fundamental security model of Bitcoin is back in the spotlight. BIP‑361, recently proposed by Bitcoin developers, is not a minor technical tweak but the first concrete attempt to address a structural issue: more than 34% of all Bitcoin may be exposed to quantum attacks.

To understand what this proposal really means, we need clear answers to a few key questions:

  • Why are all addresses that have been used at least once considered quantum-vulnerable?
  • How does Bitcoin’s transaction structure actually expose public keys?
  • What exactly does BIP‑361 aim to change?
  • Beyond PQ signatures, is a ZK-based alternative realistically possible?

This article tackles precisely those questions. We walk through how Bitcoin’s current security model reveals its limits in a quantum era, what direction BIP‑361 suggests for a quantum-resistant (PQ) transition, and why ZK-based authentication is “theoretically possible but practically difficult” for Bitcoin today. The goal is to connect these pieces into a single coherent narrative.

1. Why Are Bitcoin Addresses Used Even Once Quantum-Vulnerable?

Fundamental Weakness from the UTXO and Script Model

Bitcoin does not use an account-based model. Instead, it relies on the UTXO (Unspent Transaction Output) model. In this structure, the critical question is: what information is written to the blockchain when you receive Bitcoin, and what is revealed when you spend it?

① When Receiving (UTXO Creation) — The Public Key Is Hidden

For a typical P2PKH address (addresses starting with 1), the ScriptPubKey looks like this: 

OP_DUP OP_HASH160 <pubkey hash> OP_EQUALVERIFY OP_CHECKSIG

Here, the blockchain stores only the hash of the public key, not the public key itself. At this stage, an attacker cannot see the actual public key, so even with a quantum computer, they cannot directly run a public key → private key inversion attack. In this state, the UTXO is relatively safe.

② When Spending (UTXO Consumption) — The Public Key Is Fully Exposed

To spend this coin, the transaction input’s ScriptSig must include: 

<signature> <public key>

In other words, the moment you spend Bitcoin, the public key for that address is written in full to the blockchain. From that point on, the situation changes dramatically.

Bitcoin uses ECDSA (Elliptic Curve Digital Signature Algorithm). On a sufficiently powerful quantum computer, Shor’s Algorithm can efficiently solve the Elliptic Curve Discrete Logarithm Problem (ECDLP), meaning that given a public key, it can recover the corresponding private key in feasible time.

So, in conclusion: any address that has been used at least once to send Bitcoin has its public key exposed and becomes quantum-vulnerable. Early P2PK outputs, old exchange wallets, and addresses used by individuals in the past all fall into this category. Developers are concerned because a significant portion of the current Bitcoin supply is locked in such quantum-vulnerable addresses.

2. What Core Structure Does BIP‑361 Propose for Quantum-Resistant Bitcoin (PQ Bitcoin)?

BIP‑361 Is Not “Defining a PQ Address Format” but a “Procedure to Retire Vulnerable Addresses”

There is a common misunderstanding: BIP‑361 does not define a new PQ address format or a specific cryptographic scheme. Instead, its goals are closer to the following:

  • Gradually phase out quantum-vulnerable addresses (P2PK, already-used P2PKH, etc.), and
  • Prepare the environment so that, in the future, funds can migrate to quantum-resistant (PQ) addresses.

The 3-Phase Roadmap Proposed by BIP‑361

  1. After 3 years: Block new transactions that send coins to quantum-vulnerable addresses.
  2. After 5 years: Reject legacy ECDSA signatures coming from those vulnerable scripts.
  3. In the future: Discuss a “recovery option” for coins that have not migrated to PQ addresses.

In short, BIP‑361 is a procedural proposal to clean up quantum-vulnerable addresses, and on top of that cleanup, it creates room for PQ addresses to be introduced. So what structural direction should PQ addresses take?

Structural Principles PQ Addresses Need to Follow

Although BIP‑361 does not name specific algorithms, it implicitly assumes several structural requirements:

  • Public keys must never be exposed directly on-chain.
  • Use a quantum-resistant signature scheme that can be verified without revealing the public key in the traditional sense.
  • Maintain a public-key-hash-based address model, but allow migration to stronger hash functions if needed.
  • Adjust Script and size limits to accommodate NIST PQC candidates such as Dilithium, Falcon, or SPHINCS+.

Summarized in one line: PQ Bitcoin addresses should “keep the public key hidden at all times, while allowing verification using only quantum-resistant signatures.” The core goal is to break the current pattern of “address → public key revealed upon spending.”

3. Can Bitcoin Achieve Quantum Resistance Using ZK Instead?

Theoretically Yes — But It Would Require Massive Changes to Bitcoin

A natural question arises here: “Instead of PQ signatures, could we use ZK (zero-knowledge) proofs to achieve quantum resistance?”

In theory, yes. With a ZK proof, a user can prove:

“I know the private key for this address” without revealing the private key or the public key.

In such a design, the blockchain never stores the public key, so there is no “public key target” for a quantum computer to attack. From a purely cryptographic perspective, a ZK-based model can be extremely strong against quantum attacks.

Why ZK Is Still Unrealistic for Bitcoin Today

① Script Language Limitations

Bitcoin’s Script language is intentionally minimal. It has no loops, no complex arithmetic, and no built-in support for verifying SNARKs or STARKs. To support ZK verification, Bitcoin would need new opcodes and a hard-fork-level protocol upgrade, which goes against its conservative design philosophy.

② Proof Size and Block Size

ZK‑SNARK proofs are typically a few hundred bytes, while ZK‑STARK proofs can be several kilobytes to tens of kilobytes. Given Bitcoin’s 1MB block size limit, storing large numbers of ZK proofs would be highly inefficient and would significantly increase on-chain data.

③ Verification Cost

ZK proof verification is computationally expensive in terms of CPU and memory. Since every full node must verify every transaction, dramatically increasing verification cost would harm decentralization and verifiability, two core pillars of Bitcoin’s design.

For these reasons, while ZK-based quantum resistance is cryptographically attractive, it is widely seen as impractical for Bitcoin’s current architecture and governance model.

Summary

  • Bitcoin addresses become quantum-vulnerable the moment they are spent, because their public keys are exposed on-chain, enabling quantum attacks on the private keys.
  • BIP‑361 does not define a PQ address format; it proposes a phased retirement of quantum-vulnerable addresses and prepares the ground for a PQ transition.
  • ZK-based designs could, in theory, provide strong quantum resistance, but Bitcoin’s Script model, block size, and verification costs make such an approach unrealistic today.

In the end, Bitcoin’s strategy for the quantum era is converging toward one direction: minimize public key exposure and transition to quantum-resistant signature schemes (PQ signatures). The fact that quantum computers are not yet a mainstream threat does not mean this discussion can be postponed indefinitely. The structural choices made now are likely to shape Bitcoin’s next decade.

Younchan Jung
Researcher exploring structural shifts in AI, blockchain, and the on‑chain economy.

If you would like to read this article in Korean, please click the button below.

댓글

댓글 쓰기

이 블로그의 인기 게시물

Ethereum’s Quiet Takeover: How Stablecoins and Tokenized Assets Are Rewriting Global Finance

-
이미지
Ethereum’s Quiet Takeover: How Stablecoins and Tokenized Assets Are Rewriting Global Finance In 2026, the global financial system is undergoing a profound transformation—quiet on the surface, but seismic underneath. At the center of this shift is Ethereum . Once viewed simply as a smart‑contract platform, Ethereum has now become the settlement and liquidity backbone of global finance, reshaping the very structure of how money and assets move. How Ethereum Became the Foundation of Global Finance Stablecoin payments and real‑world asset tokenization (RWA) are expanding faster than ever. What’s striking is that this movement is no longer led by crypto startups. Instead, Visa, Stripe, PayPal, JPMorgan, BlackRock, and Fidelity —the world’s largest financial institutions—are building new financial infrastructure directly on Ethereum. Recent on‑chain data highlights the scale of this shift: Tokenized funds: 31,300 holders Tokenized equities: 21,000 holders Tokenized commodities: 116,...
자세한 내용 보기

The Real Reason the CLARITY Act Stalled: A USDC Yield War Between Coinbase and the Banks

-
이미지
3-Point Summary The CLARITY Act stalled not because of regulators, but due to internal industry conflict. The core battle centers on whether stablecoins like USDC should be allowed to generate yield. Coinbase’s opposition to a yield ban significantly weakened political momentum for the bill. The CLARITY Act stalled because the industry itself couldn’t agree on who controls the economics of digital dollars. 50-Second Shorts Video '" style="cursor: pointer; position: relative; width: 100%; aspect-ratio: 1/1; border-radius: 8px; overflow: hidden;"> Watch the 50-second video to understand why the CLARITY Act stalled before diving into the full analysis below. Why the CLARITY Act Stalled: Not Regulation, but an Internal War 1) What the CLARITY Act Was Trying to Do The CLARITY Act is ...
자세한 내용 보기

비트코인은 자산, 이더리움은 인프라: 기관이 다시 짜는 글로벌 금융의 판도

-
이미지
비트코인과 이더리움—같은 기관 채택, 완전히 다른 두 개의 트랙 기관들의 암호자산 채택 속도가 눈에 띄게 빨라지고 있다. 하지만 이 흐름 속에서 비트코인과 이더리움이 맡고 있는 역할은 근본적으로 다르다. 비트코인은 기관의 포트폴리오에 편입되는 ‘보유 자산’ 으로 자리 잡고 있고, 이더리움은 글로벌 금융 시스템이 다시 구축되는 ‘운영 인프라’ 로 기능하고 있다. 이 둘은 경쟁 관계가 아니라, 새로운 금융 아키텍처를 구성하는 두 개의 기둥이다. 1. 비트코인: 기관이 ‘보유하는 자산’ 최근 블랙록이 단 10거래일 만에 17,645 BTC(약 11억 6천만 달러) 를 매수한 사실은 시장의 시선을 사로잡았다. 이는 채굴자들이 생산하는 속도보다 더 빠르게 비트코인을 흡수하는 수준이다. 기관들이 비트코인을 반드시 보유해야 하는 자산 으로 인식하고 있다는 강력한 신호다. 비트코인이 기관 포트폴리오에서 차지하는 의미는 명확하다. ETF 운영을 위한 재고 확보 블랙록의 IBIT 현물 ETF는 투자자 수요를 충족하기 위해 대량의 BTC를 보유해야 한다. 기관 고객에게 제공하는 규제된 비트코인 접근성 연기금, 보험사, 국부펀드 등은 직접 보관 리스크 없이 비트코인에 노출되기를 원한다. 디지털 금으로서의 포지셔닝 래리 핑크는 비트코인을 글로벌 거시 자산, 가치 저장 수단, 인플레이션 헤지로 규정해 왔다. 장기적 희소성에 대한 선제적 대응 블랙록의 공격적 매수는 희소 자산을 조기에 확보하려는 전형적인 기관 전략이다. 결국 비트코인은 금고에 보관되는 자산 , 즉 디지털 금이다. 기관은 비트코인을 ‘운영’하지 않는다. 보유한다. 2. 이더리움: 금융 자산이 실제로 ‘움직이는 인프라’ 이더리움은 완전히 다른 질문에 답한다. “금융 자산은 어디에서 발행되고, 이동하고, 결제되고, 운영될 것인가?” 기관들은 ETH를 단순히 사들이는 것이 아니라, 이더리움 위에 금융 시스템을 구축하고 있다. 대표적인 사례는 다음과 같다. JP Morgan — Onyx, JPM Co...
자세한 내용 보기