David Duong, Coinbase’s Global Head of Investment Research, argued that quantum computing is a bigger risk to Bitcoin than “someone stealing a wallet.” He estimated that roughly 32.7% to 33.7% of supply—about 6.51 million BTC—sits in address types that are more exposed to quantum-style attacks, creating a network-wide integrity problem, not just isolated theft.
His point is that the threat has two separate gears that can turn at the same time. Quantum risk is framed as both a signature problem (who can spend coins) and a mining problem (who can control block production).
The Two Risk Channels
The first channel is signatures. Bitcoin relies on ECDSA, and Duong noted that exposed public keys could, in principle, be vulnerable to quantum algorithms like Shor’s that derive private keys from public keys. The weak spot is older or reused addresses where the public key has already been revealed on-chain, enabling a “harvest now, decrypt later” dynamic. In that scenario, the attacker doesn’t need to break the system today—they just need enough recorded material to exploit later.
The second channel is mining economics. Duong said that while SHA-256 is considered more resistant than ECDSA, quantum speed-ups in hashing could still reshape incentives. If hashing becomes meaningfully advantaged for a subset of actors, mining power could concentrate and raise the risk of 51%-style control over block production, undermining finality and market integrity. That’s why he called it a structural risk rather than a niche custody issue. “Quantum computing could pose two threats to the Bitcoin network,” he said.
Why the “One-Third Exposed” Estimate Matters
Duong based the exposure estimate on on-chain data through block 900,000 and concluded that around one-third of Bitcoin supply sits in address types more susceptible to long-range quantum attacks. Even with the acknowledgment that today’s quantum machines are far too small to break Bitcoin cryptography, the argument is that the trajectory makes planning rational. You don’t wait for the first catastrophic break to start coordinating a migration. By then, it’s too late to do it cleanly.
What Migration Could Look Like
On the technical side, the discussion isn’t starting from zero. Proposals mentioned include BIP 360 and broader adoption of post-quantum signature schemes such as lattice-based algorithms, with examples like CRYSTALS-Dilithium and FALCON. But moving to quantum-resistant primitives isn’t a simple toggle. It would require protocol-level work, developer coordination, and broad user migration, which Duong emphasized would not be trivial.
Practical Takeaways for Treasuries and Custodians
For institutions holding long-term BTC, the priority is reducing avoidable exposure while staying aligned with protocol direction. Audit address reuse and public-key exposure, monitor proposals like BIP 360 and post-quantum work, and consider staged migration plans for long-dated reserves instead of reactive moves. The timeline is uncertain, but that uncertainty cuts both ways. Some estimates push the threat window into the late 2020s—around 2028–2029—while others see it further out, which is exactly why planning needs to be scenario-based.
The bottom line is that quantum safety, if it becomes relevant, will be won or lost on migration execution. The decisive test isn’t the first scary benchmark headline—it’s whether the ecosystem can roll out quantum-resistant primitives and get users to move before a quantum-capable adversary exists.
