Citi: Quantum Computing Breakthroughs Are Accelerating — Bitcoin Faces “Excess Quantum Risk”
Citi: Quantum Computing Breakthroughs Are Accelerating — Bitcoin Faces “Excess Quantum Risk”
Quantum computing is no longer a purely academic storyline for crypto. In recent research shared by Citi Institute, analysts argue that progress in quantum hardware and the surrounding security ecosystem is moving faster than many market participants assumed, and that blockchains—especially Bitcoin—carry an “excess” concentration of long-term quantum exposure compared with many other digital systems. A good starting reference is Citi’s own report, Quantum Threat: The Trillion-Dollar Security Race Is On, which highlights why exposed public keys are the most immediate on-chain risk surface for digital assets and internet infrastructure more broadly (Citi Institute report (PDF), plus a shorter overview in their Q&A: Managing the quantum threat to blockchains).
For Bitcoin holders, builders, and institutions evaluating Bitcoin security and self-custody, the important question is not “Will quantum computers break Bitcoin tomorrow?” It is: What parts of Bitcoin are most exposed today, and what upgrades and operational habits reduce the blast radius if quantum timelines compress?
1) What quantum computers threaten in Bitcoin (and what they don’t)
Bitcoin’s ownership model ultimately depends on digital signatures. Today, the network relies on elliptic-curve cryptography (ECC): ECDSA for legacy spends and Schnorr signatures for Taproot-style spends. A sufficiently capable quantum computer could—in theory—use quantum algorithms to solve the mathematical problem behind ECC and derive a private key from a known public key, enabling unauthorized spending.
Two clarifications matter:
- Quantum risk is not “mining risk.” Quantum computing does not magically rewrite Bitcoin’s history. The core concern is key compromise—the ability to sign as someone else.
- The highest-impact scenario is selective theft. Early “cryptographically relevant” quantum machines (if/when they arrive) would likely be scarce and expensive, so attackers may target high-value, high-certainty wallets rather than attempting to “break Bitcoin all at once”—a framing Citi also emphasizes in its discussion of practical constraints and prioritization.
2) Why Bitcoin’s “public key exposure” creates a larger attack surface
In Bitcoin, many modern address types do not reveal the public key on-chain until coins are spent; they typically publish a hash that commits to the public key. That design reduces long-exposure risk.
However, a meaningful portion of BTC is still associated with outputs where the public key is already visible on-chain, including:
- Early P2PK (Pay-to-Public-Key) outputs, where public keys were embedded directly in locking scripts.
- Previously spent-from outputs, where spending can reveal a public key (especially if users reused addresses or followed older wallet behaviors).
This is where the “excess quantum risk” narrative comes from. Depending on methodology (and what counts as “exposed”), estimates vary. Citi’s published Quantum Threat material frames the quantum-exposed pool as a sizeable minority of BTC supply (with a wide range depending on definition). In parallel, other industry discussions often cite a range closer to “around one-third,” frequently landing in the ~6.5 million to ~6.9 million BTC neighborhood in market commentary—numbers that become even more eye-catching when multiplied by BTC’s price.
The takeaway is consistent even if the exact number moves: Bitcoin has a large, identifiable set of high-value targets whose public keys are already out in the open.
3) “Harvest Now, Decrypt Later” meets crypto
A second risk Citi highlights is the “Harvest Now, Decrypt Later” (HNDL) strategy: adversaries collect encrypted or sensitive data today, then decrypt it later once quantum capabilities mature.
For crypto, HNDL has two practical interpretations:
- Off-chain exposure: KYC data, exchange account records, institutional settlement messages, and private communications have long lifetimes. Even if funds are safe on-chain, confidentiality can be retroactively compromised.
- On-chain cataloging: Public blockchain data is permanent. If public keys are exposed today, they can be indexed now and attacked later—without needing to “break” the chain itself.
This is why quantum preparedness is increasingly discussed as a multi-year migration problem, not a single patch.
4) Why Bitcoin may upgrade more slowly than faster-moving PoS ecosystems
Citi’s analysis also points to governance velocity: Bitcoin’s culture prioritizes conservatism, backward compatibility, and minimizing consensus risk. That is often a feature—until you’re facing a deadline.
Compared with more rapidly evolving PoS networks (for example, Ethereum’s faster protocol iteration cadence), Bitcoin’s change process typically demands:
- Long review cycles
- Extensive adversarial testing
- Broad social consensus among node operators, miners, wallet developers, and institutions
That makes it harder to “turn on a dime” if quantum timelines tighten.
5) What’s changed since 2024–2026: PQC moved from theory to standards
A major shift—often underappreciated in crypto circles—is that post-quantum cryptography is no longer just “research papers.” It is becoming standardized infrastructure.
- In August 2024, NIST released the first finalized post-quantum cryptography standards, intended for immediate adoption in many environments (NIST announcement, and the underlying standards such as FIPS 203 (final)).
- In March 2025, NIST selected HQC as an additional post-quantum encryption algorithm to diversify assumptions (NIST HQC selection).
For crypto, this matters because it accelerates vendor roadmaps, compliance expectations, and the broader “crypto-agility” movement—making it more realistic for wallets, custody stacks, and enterprises to plan migrations rather than waiting for a perfect, single solution.
6) The Bitcoin community’s emerging roadmap: BIP-360 and BIP-361
Two Bitcoin Improvement Proposals increasingly referenced in quantum-resilience discussions are BIP-360 and BIP-361.
BIP-360: reduce long-exposure risk with a new output type (P2MR)
BIP-360 proposes Pay-to-Merkle-Root (P2MR), a Taproot-like output structure without the key-path spend. Conceptually, it aims to make it easier to use script trees while reducing the situations where a public key is persistently exposed.
Important nuance: BIP-360 is best understood as a structural stepping stone. It improves how Bitcoin could behave under long-exposure threat models, but it is not, by itself, the same thing as “Bitcoin has post-quantum signatures.”
BIP-361: a planned “sunset” for legacy signatures (and forced migration incentives)
BIP-361 goes further: it outlines a pre-announced migration path that pressures the ecosystem to move away from legacy ECDSA/Schnorr spends over a defined timeline, using phased restrictions and a rescue-style mechanism.
Whether one agrees with the approach or not, the significance is that BIP-361 reframes quantum risk as a coordination problem: if a large pool of exposed coins remains spendable forever under legacy rules, then a future quantum attacker could selectively steal from dormant wallets—potentially undermining confidence in Bitcoin’s monetary premium.
7) What Bitcoin holders can do now (without waiting for a post-quantum hard fork)
Even before protocol-level post-quantum signatures exist, users can reduce the most avoidable parts of quantum exposure:
-
Stop address reuse
Reuse increases the chance that your public key becomes an easy long-lived target. -
Audit for legacy exposure
If you hold coins in very old script types (especially early-era outputs) or in wallets with historical address reuse, consider migrating to modern wallet practices. -
Plan for “crypto-agility” in your custody setup
Institutions should treat quantum readiness like any other multi-year security migration: inventory, prioritization, staged rollout, and rehearsals. -
Keep keys offline and upgrades manageable
Quantum risk is not the only risk. Phishing, malware, and social engineering remain immediate. A hardware wallet helps by isolating private keys from networked devices during daily operations, and it also provides a safer path when you eventually need to migrate funds under new script types or signing policies.
Where OneKey fits in a “post-quantum readiness” mindset
No hardware wallet can magically make ECC “quantum-proof” today. But a security posture that is upgrade-ready and operationally robust still matters. OneKey’s self-custody workflow—offline key generation, on-device transaction confirmation, and a design philosophy that emphasizes verifiability—aligns well with the practical needs of a long, staged transition: you want your signing environment to stay isolated and you want a clear path to adopt new standards as the ecosystem converges.
In other words: post-quantum Bitcoin will be a migration, not a moment. Getting your custody hygiene right now is how you reduce both today’s threats and tomorrow’s uncertainty.
