Kwant a Bitcoin: why Saylora's optimism might be premature

Michael Saylor, CEO of MicroStrategy, has recently presented a promising vision of Bitcoin’s future in the age of quantum computers: the network will not be broken but strengthened. This outlook has generated enthusiasm among parts of the cryptocurrency community. However, when looking at the actual technical and economic landscape, the picture becomes much more complex. What exactly is the threat Bitcoin will face? And will the migration to post-quantum security proceed as smoothly as the optimistic narrative suggests? Technical analysis reveals gaps in this scenario, especially concerning the 1.7 million already exposed Bitcoin coins.

What is the quantum threat to Bitcoin and how are they advancing?

In the context of cryptocurrency security, a quantum refers to the potential of quantum computers that leverage quantum mechanics to perform calculations impossible for classical computers. For Bitcoin, the main threat is not attacks on the proof-of-work mechanism but on the digital signatures protecting private keys.

The Bitcoin network relies on ECDSA and Schnorr algorithms in the secp256k1 standard. Shor’s algorithm, known from quantum computation theory, could potentially derive private keys from public keys once a sufficiently advanced quantum computer is available. Current estimates suggest that about 2,000–4,000 logical qubits would be needed to pose a real threat. Existing devices are far below this threshold, meaning cryptographically significant quantum computers are at least 10–15 years away.

Importantly, NIST (National Institute of Standards and Technology) has already developed and approved quantum-resistant digital signature standards: ML-DSA (Dilithium) and SLH-DSA (SPHINCS+) as FIPS 204 and 205, while FN-DSA (Falcon) awaits approval as FIPS 206. Theoretically, these systems could be integrated into Bitcoin through new output types or hybrid signatures. Bitcoin Optech is already tracking such proposals.

1.7 million BTC already vulnerable to quantum attacks

However, a key issue that Saylor has not sufficiently addressed is the vulnerability depending entirely on the type of Bitcoin address and whether the public key has already been revealed on the blockchain.

Early pay-to-public-key (P2PK) outputs from Satoshi’s era directly embed the raw public key in the chain. These addresses remain irreversibly exposed. Standard P2PKH addresses and modern SegWit P2WPKH hide the public key behind a hash, but only until the coins are spent—then the key becomes visible. With the rise of Taproot, a new risk category emerged: P2TR outputs encode the public key from day one, exposing UTXOs even before they are spent.

Recent analyses, including Deloitte’s research, indicate that about 25% of the total Bitcoin supply is already in outputs with publicly revealed public keys. This specifically means around 1.7 million BTC from early days, plus hundreds of thousands more in modern Taproot outputs. Some of these coins have been dormant for a long time—owners may be unreachable, deceased, or simply forgotten. These “lost” coins won’t remain frozen but could become targets for the first attacker with a sufficiently advanced quantum machine.

Coins that have never revealed their public key (belonging to P2PKH or P2WPKH addresses) are protected by hashed addresses. For them, Grover’s algorithm only provides a quadratic speedup, which can theoretically be neutralized by adjusting security parameters. However, this portion of the supply is a minority.

Technological migration is more than just cryptography

Saylor claims that “security will increase, supply will decrease.” This oversimplifies the complex reality. Migrating to post-quantum signature schemes is not a straightforward win—it involves real costs.

Research published in peer-reviewed sources indicates that a realistic migration would entail significant compromises. Post-quantum signatures are much larger than current ECDSA signatures. This could reduce block capacity by about 50%. Operating costs for nodes would increase because verifying these signatures requires more computational power. Transaction fees would likely rise, as each signature takes more space in a block.

Managing this transition is even more challenging. Bitcoin has no central authority to enforce changes. Any post-quantum soft fork would require overwhelming consensus among developers, miners, exchanges, and large holders. All would need to act in a coordinated manner, and sufficiently early—before a truly dangerous quantum computer appears. The latest analysis by Andreessen Horowitz (a16z) emphasizes that coordination and timing pose greater risks than cryptography itself.

Three scenarios: shrinking, theft, or panic?

The supply dynamics in a post-quantum scenario are not automatic. There are three competing possibilities, each with different market outcomes.

Scenario 1 – “Shrinking through abandonment”: Coins in vulnerable outputs, whose owners never update their wallets (due to death, incapacity, or forgetfulness), are considered permanently lost. The supply effectively shrinks, but chaotically—not through secure migration, but through inaction.

Scenario 2 – “Distortion through theft”: Attackers with advanced quantum computers begin draining old wallets with exposed public keys. Coins don’t disappear from circulation—they fall into the hands of thieves. This “sign-and-steal” attack involves observing the mempool, quickly recovering the private key, and competing with higher fee transactions.

Scenario 3 – “Panic before physics”: The mere prospect of upcoming quantum computers could trigger sell-offs or even split the blockchain into competing forks before any actual machine appears. History shows that market fear can be as dangerous as technical threats.

None of these scenarios guarantees a straightforward decrease in supply that would be bullish for the price. They could equally lead to chaotic valuation shifts and social conflicts.

Will Bitcoin truly become stronger?

Saylor is correct on one key point: Bitcoin can strengthen itself technologically. The network has enough time to implement post-quantum signature schemes already approved by NIST standards. It can update vulnerable outputs and achieve a level of cryptographic security where quantum computers pose minimal threat.

However, this optimistic vision relies on a series of assumptions that are not guaranteed. It assumes that:

• Developers and holders will act in a coordinated and timely manner
• Migration will occur without triggering panic or community split
• Quantum attackers won’t exploit the window between discovery and deployment
• The community will accept higher fees and smaller capacity in the name of security

Saylor’s confidence largely hinges on the network’s ability to coordinate, not solely on cryptographic strength. Bitcoin could indeed emerge from the quantum era stronger— with improved signatures and possibly partially “burned” coins. But only if the network can carry out a costly, politically challenging, and technically complex upgrade before quantum catches up. In a time when even soft forks cause community disputes, this vision depends less on physics and more on skillful decentralized management.