PoW chain
Bitcoin BTC
Bitcoin mainnet remains fully dependent on quantum-vulnerable ECC (ECDSA and Schnorr on secp256k1) for all spend authorization. Draft BIPs 360 (P2MR output type intended to remove key-path spend from script-tree outputs) and 361 (phased legacy signature sunset) propose future mitigations but provide no production protection, no testnet activation, and no client implementation. Bitcoin Core v31.0 (April 2026) contains no PQC, hybrid, or migration code. PoW consensus has no validator signatures, so consensus-authentication is N/A. The only applicable production cryptographic control is BIP-324 opportunistic P2P encryption, which uses classical cryptography. The gap between identified risk (drafts exist) and deployed protection (none) places Bitcoin at Stage 1 Quantum Risk Assessed with a final QRI score of 6, governed by the Roadmap/Proposal-only Readiness & Risk Cap (25), the Stage 1 Cap (20), and a low raw factor score driven by the absence of any PQC implementation, migration, or algorithm assurance.
Quantum Risk AssessedRoadmap OnlyECC-Only Spend Authorization
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
0 / 20
Migration Mechanism, Governance & Ecosystem Coordination
0.75 / 15
Migration Status & Value-at-Risk
0.5 / 25
Production Cryptographic Protection
2.36 / 35
Security Assessment & Evidence Preparedness
2.5 / 5
Critical Quantum Blockers
- Active production spend authorization remains entirely ECC/BLS/Schnorr/EdDSA-only; no PQC or hybrid signature path exists on mainnet
- Only draft BIPs (360 P2MR output type, 361 phased legacy signature sunset) exist; no mainnet, testnet, or production PQ/hybrid signature implementation
- Material long-exposure quantum-vulnerable value (exposed public keys in legacy UTXOs) exists with no production migration, freeze, deprecation, or burn policy
Key Risks
- All circulating BTC supply resides in quantum-vulnerable UTXOs; long-exposure public keys (P2PK, reused P2PKH/P2WPKH, P2TR key-path outputs) are vulnerable to offline key recovery if a cryptographically relevant quantum computer materializes
- No mainnet PQC or hybrid signature support exists; no migration path is enforced or coordinated for exchanges, custodians, or users
- Draft BIPs 360 and 361 lack community consensus, miner signaling, and testnet activation evidence as of 2026-06-01
- The proportion of circulating supply in exposed-key UTXOs cannot be measured from the public evidence in the dossier, preventing coverage-based migration credit
Assurance Notes
- No independent quantum-readiness audit exists for Bitcoin mainnet as of 2026-06-01
- BIP-360 and BIP-361 are draft proposals without consensus, testnet activation, or production code; they constitute design intent rather than verifiable quantum-critical protection
- The exact percentage of circulating supply in quantum-vulnerable exposed-key UTXOs (P2PK, reused P2PKH/P2WPKH, P2TR key-path) is not measured in the public evidence dossier; migration coverage cannot be quantified for the evaluated production scope
- No formal quantum-specific incident-response playbook is published; treated as an assurance-only caveat because the absence of PQC deployment makes a playbook moot for current production protection
Non-Scoring Caveats
- Bitcoin Core is open source and reproducible; this is a general project property but does not substitute for the absence of any PQC implementation
- BIP-324 v2 P2P transport provides opportunistic encryption using classical cryptography; P2P identity is not consensus-, spend-, bridge-, or custody-critical for native asset ownership and is treated as a note-only caveat
- No formal performance or resource-impact analysis of any PQ signature scheme has been published for Bitcoin; this is noted as an assurance-only caveat because no PQ scheme is deployed
Evidence record
Claims and Caveats
Spend authorization / transaction signatures
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: Bitcoin mainnet uses only ECC-based signatures (ECDSA and Schnorr on secp256k1); no PQC or hybrid signature code is present in Bitcoin Core v31.0 or active branches
Coverage basis: No PQC implementation on mainnet
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: Active production spend authorization remains entirely ECC/BLS/Schnorr/EdDSA-only
Assurance: Direct source code inspection of Bitcoin Core v31.0; primary evidence of current production state
No PQC opcodes, address types, or signature schemes in active code paths
Account, address, public-key exposure
Account, address, public-key exposure, and key-derivation design prevents long-exposure quantum-vulnerable ownership paths or supports PQ/hybrid controls
Claim: BIP-360 (P2MR) draft proposes removing key-path spend from script-tree outputs to mitigate long-exposure quantum attacks on ECC public keys, but it is a draft only and is not implemented or activated on mainnet or testnet
Coverage basis: Draft proposal only (no code, no testnet, no activation)
Implementation score: 0.25 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: Primary spec document; implementation score reflects draft proposal status; BIP-360 explicitly states it does not protect against short-exposure attacks and requires a separate PQ signature proposal
Current production P2PK, reused P2PKH/P2WPKH, and P2TR key-path outputs continue to expose public keys
Consensus-critical authentication
Consensus-critical authentication is PQC or hybrid-PQC where applicable, including validator signatures, VRFs, randomness beacons, threshold signatures, or block certificates
Claim: Bitcoin uses hash-based proof of work; there is no validator set, no VRF, no randomness beacon, and no finality or block-certification signatures
Coverage basis: N/A by architecture (PoW chain)
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Architectural property verifiable from Bitcoin Core source and Bitcoin protocol documentation
Excluded from total applicable subfactor weight in Production Cryptographic Protection category
P2P transport, node identity
P2P transport, node identity, and peer authentication are PQC, hybrid-PQC, or satisfied by design
Claim: BIP-324 v2 P2P transport is activated and provides opportunistic encryption using classical cryptography; no PQ handshake is implemented or specified for production
Coverage basis: Classical cryptography only
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Primary spec document; P2P identity is not consensus-, spend-, bridge-, or custody-critical for native asset ownership and is treated as a note-only caveat
BIP-324 notes mention potential future PQ upgrades to the handshake
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: BIP-361 (Post Quantum Migration and Legacy Signature Sunset) is a draft informational BIP proposing a phased sunset of ECDSA/Schnorr after a future PQ output type activates; no consensus, activation criteria, or testnet path exists
Coverage basis: Draft informational proposal only
Implementation score: 0.25 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: Primary proposal document; requires a TBD PQ signature BIP for the full roadmap to be actionable; Phases A (~3 years) and B (~5 years) are illustrative, not committed
BIP-361 is informational; no consensus rule change has been adopted
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts/UTXOs/contracts are identified, measurable, deprecated, migrated, frozen, or proven not to exist by design
Claim: BIP-361 draft discusses sunset of legacy vulnerable address types, but no production deprecation, freeze, or migration mechanism exists; legacy UTXOs with exposed public keys remain spendable under current consensus rules and the exposure share is not measured in public evidence
Coverage basis: Draft proposal only; exposure share not measured
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: Exact percentage of circulating supply in exposed-key UTXOs is not measured in the public evidence dossier; coverage-based migration credit cannot be awarded
No on-chain enforcement, freeze, or burn policy exists in current consensus rules
Security Assessment & Evidence Preparedness
Public cryptographic inventory of critical public-key mechanisms and public quantum threat model covering attack assumptions, affected assets, and affected layers
Claim: Draft BIPs 360 and 361 identify ECDSA and Schnorr on secp256k1 as quantum-vulnerable primitives and discuss long-exposure and short-exposure attack windows for spend authorization
Coverage basis: Draft specification with partial coverage of attack windows
Implementation score: 0.5 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Primary draft documents; no comprehensive published threat model with independent review; coverage of affected layers is partial (spend authorization and migration, not consensus or P2P in depth)
BIP-360 explicitly distinguishes long-exposure vs. short-exposure attack scenarios
Security Assessment & Evidence Preparedness
Public evidence record supporting the assessment, such as code references, specs, audits, transaction examples, or reproducible analytics
Claim: Bitcoin Core source code and BIP documents are public and reproducible; no independent quantum-readiness audit or reproducible analytics of exposed-key UTXO coverage exists
Coverage basis: Public code and specs only; no independent audit
Implementation score: 0.5 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Public code is reproducible and verifiable; audit freshness is absent for quantum-specific scope; this affects Confidence and Assurance Notes rather than the Implementation Score for non-quantum-critical evidence
Report metadata