The threat model
The concern is not that Bitcoin or Ethereum breaks tomorrow. It is that a sufficiently large fault-tolerant quantum computer running Shor's algorithm would recover an elliptic-curve private key from its public key. Any wallet that has ever spent has published its public key on-chain, so its private key becomes recoverable the moment such a machine exists.
No such machine exists today and public estimates place the earliest plausible date years to decades away. The realistic risks between now and then are (a) long-life holdings on reused addresses, and (b) protocol governance moving slower than the underlying hardware.
Bitcoin
Bitcoin uses ECDSA (secp256k1), plus Schnorr for Taproot. Both are Shor-breakable. Not all Bitcoin exposure is equal:
- Never-spent P2PKH or P2WPKH addresses expose only the hash of the public key on-chain, which sits behind an additional layer of preimage resistance.
- Any address that has ever spent, or any Taproot output (which publishes the key directly), exposes the public key.
- Bitcoin has active BIP proposals to add post-quantum signatures. Nothing has activated yet.
Ethereum
Ethereum externally-owned accounts sign with ECDSA (secp256k1). Once an account has sent a transaction, its public key is derivable from the signature. Account abstraction opens a plausible path to migrate individual accounts to post-quantum signatures without a hard fork, but that migration has not shipped at protocol scale.
Post-quantum chains
A small number of production chains use post-quantum signatures today — most based on XMSS or SLH-DSA variants — and a larger number publish roadmaps. Independent scoring lives on Quantum Rankings, and the scoring rubric on methodology.
Wallet hygiene today
- Prefer fresh, never-spent addresses for cold storage.
- Sweep unused UTXOs into new addresses periodically.
- Keep firmware current on hardware wallets — this is where post-quantum support will land first.
- Avoid keeping large sums on address types that have already published their public key.
- Watch the research notes for BIP/EIP activations that change these tradeoffs.
Use our tools
Run a specific address through the Wallet Scanner to see its rules-based exposure score. Compare chains on Quantum Rankings. Read the scoring rubric on methodology before drawing conclusions.
Frequently asked questions
Is my Bitcoin wallet quantum-safe?
Not today. Bitcoin's signature scheme is ECDSA (and Schnorr for Taproot), both of which are vulnerable to Shor's algorithm on a sufficiently large quantum computer. Address types that have never revealed a public key on-chain (never-spent P2PKH or P2WPKH) enjoy an extra layer of hashing that raises the difficulty, but any address that has spent has revealed its public key. Our /wallet-scanner explains the exposure of a specific address.
What makes a wallet 'quantum-safe'?
A wallet is quantum-safe when the signature scheme securing its funds is post-quantum — for example a NIST-standardised scheme such as ML-DSA or SLH-DSA, or a hash-based scheme like XMSS or LMS. Very few production cryptocurrencies use post-quantum signatures today; the /quantum-crypto-rankings page tracks who does.
Should I move my crypto to a quantum-safe chain?
That is a personal decision that depends on how much you hold, how long you plan to hold it, and how much slippage you would accept from a chain switch. This site does not give investment advice. What we do publish is the scoring rubric on /methodology and the per-project scores on /quantum-crypto-rankings so you can decide with open evidence.
What can I do today?
Rotate addresses so that public keys are not lingering on-chain longer than they need to; keep meaningful amounts on hardware wallets with active firmware support; watch upstream chains (Bitcoin, Ethereum) for post-quantum upgrade proposals; and use /wallet-scanner to sanity-check exposure before big transactions.