Key conclusions

• Bitcoin’s quantum risk centers on exposed public keys and signature security.

• The BTQ testnet explores post-quantum signatures in a Bitcoin-like environment.

• Post-quantum signatures significantly raise transaction size and block space requirements.

• “Legacy BTC Risk” focuses on legacy result types and address reuse patterns.

BTQ Technologies announced that on January 12, 2026, it launched the Bitcoin Quantum testnet, a Bitcoin-like network designed to test post-quantum signatures without compromising the governance of the Bitcoin mainnet.

The idea is that BTQ will replace Bitcoin’s current ML-DSA signature scheme, a modular-mesh signature standard formalized by the National Institute of Standards and Technology (NIST) as Federal Information Processing Standard (FIPS) 204, for post-quantum security assumptions.

It is worth remembering that in most Bitcoin quantum threat models, a key prerequisite is the disclosure of the public key. If the public key is already observable on the network, a future quantum computer with sufficient performance could theoretically attempt to recover the corresponding private key offline.

Did you know? BTQ Technologies is a research company focused on post-quantum cryptography and blockchain security. The Bitcoin Quantum testnet was designed to investigate how quantum-resistant signatures behave in a Bitcoin-like system.

What quantum changes?

Most discussions about Bitcoin’s quantum risks focus on digital signatures, not on the supply of Bitcoin coins or the idea that a quantum computer can magically guess random wallets.

A particular concern is that a cryptographically meaningful quantum computer (CRQC) could run Shor’s algorithm to solve the discrete logarithm problem efficiently enough to derive a private key from a known public key, undermining both the Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr-based signing.

Chaincode labs frames this is the dominant quantum threat model for Bitcoin as it can enable unauthorized spending by producing valid signatures.

The risk can be divided into long-range risk, where public keys are already observable on-chain for some legacy script types or through reuse, and short-range risk, where public keys are exposed after a transaction is broadcast and waits for confirmation, creating a narrow window of time.

Of course, no quantum computer currently poses a direct threat to Bitcoin, and mining-related impacts should be treated as a separate and more circumscribed discussion compared to signature cracking.

Did you know? Shor’s algorithm already exists as mathematics, but it requires a immense, fault-tolerant quantum computer to run. If such machines are built, they can be used to obtain private keys from exposed public keys.

What built BTQ and why it is compelling

BTQ’s Bitcoin Quantum testnet is essentially a fork based on Bitcoin Core that replaces one of Bitcoin’s most vital primitives, signatures.

In his own announcementBTQ said the testnet is replacing ECDSA with ML-DSA, a modular-mesh signature scheme standardized by NIST as FIPS 204 for post-quantum digital signatures.

This change imposes a number of engineering compromises. ML-DSA signatures are approximately 38-72 times larger than ECDSA, so the testnet raises the block size limit to 64 mebibytes (MiB) to make room for additional transaction data.

The company also treats the network as a full lifecycle testing ground, supporting wallet creation, transaction signing and verification, and mining, along with core infrastructure such as a block explorer and mining pool.

In miniature, the practical value of the testnet is that it turns post-quantum Bitcoin into an experiment in efficiency and coordination.

Where the senior BTC risk is concentrated

When analysts to talk when it comes to “old BTC risk” in a post-quantum context, they usually refer to public keys that are already exposed on-chain.

A future CRQC capable of running Shor’s algorithm could theoretically utilize these public keys to derive the corresponding private keys and then generate the correct spend.

There are three types of output that are directly vulnerable to long-range attacks, particularly because they place elliptic curve public keys directly in the blocking script (ScriptPubKey): Pay-to-Public-Key (P2PK), Pay-to-Multi-Signature (P2MS), and Pay-to-Taproot (P2TR).

The distribution is uneven:

• P2PK is a petite fraction of today’s unspent transaction output (UTXO), approx 0.025%but it locks up a disproportionate share of BTC’s value, approximately 8.68% or 1,720,747 Bitcoins (BTC), mostly dormant Satoshi-era coins.

• P2MS accounts for approximately 1.037% of UTXO, but reports estimate that it only secures approximately 57 BTC.

• P2TR is common in number, around 32.5% of UTXO, but has a petite value in the same snapshot, around 0.74% or 146,715 BTC. Its disclosure is related to the Taproot keypath design, where the corrected public key is observable on-chain.

Address reuse can also turn what would otherwise be a “hanging out” exposure into a high-impact exposure because once the public key appears on the chain, it remains observable.

BTQ’s own message uses this exposed-key frame to argue that the potentially affected pool is immense. It reports that 6.26 million BTC was exposed, which is one of the reasons why the company says it is now worth testing post-quantum signatures in a Bitcoin-like environment.

What’s next for Bitcoin?

In the near term, the most concrete task will be to monitor the situation and be prepared.

Research shows that the signature threat model is based on the disclosure of the public key. This is why discussions often focus on how existing Bitcoin wallet and script practices either expose public keys early, as with some legacy script types, or limit exposure by default, as with typical wallet behavior that avoids reuse.

“BTC legacy risk” is therefore largely a property of historical production types and reuse patterns, rather than something that suddenly applies equally to every coin.

The second, more practical limitation is capacity. Even if post-quantum migration were socially agreed upon, it would still be a block space and coordination problem.

River explainer summarizes academic estimates showing how sensitive timeframes are to assumptions. A theoretical scenario where all transactions are migrations can dramatically shorten the time frame, while a more realistic allocation of block space stretches the transition out over years, even before accounting for management and adoption.

The BTQ testnet fits into this bucket. It allows engineers to observe the operational costs of post-quantum signatures, including larger data sizes and different limits, in a Bitcoin-like environment, without claiming that Bitcoin is inevitably brittle.

Did you know? The biggest factor holding quantum computers back is noise or errors. Newfangled qubits often make errors, so error-tolerant error correction is required. This means using many physical qubits to produce a petite number of reliable “logical” qubits before performing the long computations needed to crack real-world cryptography.

What Bitcoin-level mitigation might look like

At the protocol level, quantum readiness is often discussed as a sequential path.

Post-quantum signature schemes tend to be much larger than elliptic curve signatures, which creates a knock-on effect on transaction size, throughput, and verification costs; BTQ encounters the same compromises when experimenting with ML-DSA.

Therefore, some Bitcoin proposals focus first on reducing the most structural exposure in existing script designs, without immediately committing the network to a specific post-quantum signature algorithm.

A recent example is Bitcoin Improvement Proposal (BIP) 360, which proposes a fresh output type called Pay-to-Tapscript-Hash (P2TSH). P2TSH is almost identical to Taproot, but removes the expense of the key path, a path based on elliptic curve signatures, leaving a native route for tapscript that can be used in a way intended to avoid key path dependency.

Related ideas have sent out on the Bitcoin developer mailing list in the broader Taproot “hash-only” or “script release” family, often discussed as Pay-to-Quantum-Resistant-Hash (P2QRH)-style constructs. These proposals again aim to reuse the Taproot structure while avoiding the expense of keys vulnerable to quantum attacks.

Importantly, none of this is certain. The bottom line is that Bitcoin’s likely reaction if it moves is discussed as an increasing coordination problem that balances conservatism, compatibility, and the cost of changing the transaction format.

The BTQ testnet is quite revealing

BTQ’s Bitcoin Quantum testnet doesn’t settle the quantum debate, but it does make two issues harder to ignore.

First, the most credible threat models focus on places where public keys are already exposed, so “old coin” patterns still appear in analyses.

Second, post-quantum Bitcoin is an engineering and coordination problem. BTQ Technologies’ own design choices, such as moving to ML-DSA and lifting block limits to accommodate much larger signatures, illustrate these tradeoffs.

Ultimately, the testnet is a sandbox for measuring costs and constraints and should not be seen as evidence that Bitcoin is inevitably brittle.