Michael Saylor delivered a characteristically bold take on Dec. 16 about Bitcoin and the quantum leap:
The statement captures the optimistic case for Bitcoin’s post-quantum future. Still, the technical record reveals a messier picture where physics, governance, and timing determine whether the transition strengthens the network or triggers a crisis.
Quantum won’t break Bitcoin (if migration happens in time)
Saylor’s core claim rests on the notion of directional truth. Bitcoin’s main quantum vulnerability sits in its digital signatures, not proof-of-work.
The network uses ECDSA and Schnorr over secp256k1. Shor’s algorithm can derive private keys from public keys once a fault-tolerant quantum computer reaches roughly 2,000 to 4,000 logical qubits.
Current devices operate orders of magnitude below that threshold, placing cryptographically relevant quantum computers at least a decade out.
NIST has already finalized the defensive tools Bitcoin would need. The agency published two post-quantum digital signature standards, the ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), as FIPS 204 and 205, with FN-DSA (Falcon) progressing as FIPS 206.
These schemes resist quantum attacks and could be integrated into Bitcoin via new output types or hybrid signatures. Bitcoin Optech tracks live proposals for post-quantum signature aggregation and Taproot-based constructions, with performance experiments showing SLH-DSA can function on Bitcoin-like workloads.
What Saylor’s framing omits is the cost. Research from the Journal of British Blockchain Association argues that a realistic migration is a defensive downgrade: security improves against quantum threats, but block capacity could fall by roughly half.
Node costs rise because current post-quantum signatures are larger and more expensive to verify. Transaction fees climb as each signature consumes more block space.
The hard part is governance. Bitcoin has no central authority to mandate upgrades. A post-quantum soft fork would require overwhelming consensus among developers, miners, exchanges, and large holders, all moving before a cryptographically relevant quantum computer appears.
A16z’s recent analysis emphasizes that coordination and timing pose greater risks than the cryptography itself.
Exposed coins become targets, not frozen assets
Saylor’s claim that “active coins migrate, lost coins stay frozen” oversimplifies the on-chain reality. Vulnerability depends entirely on the address type and whether the public key is already visible.
Early pay-to-public-key outputs place the raw public key directly on-chain and permanently expose it.
Standard P2PKH and SegWit P2WPKH addresses hide the public key behind hashes until the coins are spent, at which point the key becomes visible and quantum-stealable.
Taproot P2TR outputs encode a public key in the output from day one, making those UTXOs exposed even before they move.
Analyses estimate that roughly 25% of all Bitcoin is already in outputs with publicly revealed keys. Deloitte’s breakdown and recent Bitcoin-focused work converge on this figure, encompassing large early P2PK balances, custodian activity, and modern Taproot usage.
On-chain research suggests approximately 1.7 million BTC in “Satoshi-era” P2PK outputs and hundreds of thousands more in Taproot outputs with exposed keys.
Some “lost” coins are not frozen, but rather ownerless and could become a bounty for the first attacker with a capable machine.
Coins that have never revealed a public key (single-use P2PKH or P2WPKH) are protected by hashed addresses, for which Grover’s algorithm provides only a square-root speedup, which parameter adjustments can compensate for.
The most at-risk slice of supply is precisely dormant coins locked to already-exposed public keys.
Supply effects are uncertain, not automatic
Saylor’s assertion that “security goes up, supply comes down” separates cleanly into mechanics and speculation.
Post-quantum signatures, such as ML-DSA and SLH-DSA, are designed to remain secure against large, fault-tolerant quantum computers and are now part of official standards.
Bitcoin-specific migration ideas include hybrid outputs that require both classical and post-quantum signatures, as well as signature-aggregation proposals to reduce chain bloat.
But supply dynamics are not automatic, and three competing scenarios exist.
The first is “supply shrink via abandonment,” where coins in vulnerable outputs whose owners never upgrade are treated as lost or explicitly blocklisted. The second is “supply distortion via theft,” where quantum attackers drain exposed wallets.
The remaining scenario is “panic before physics,” where the perception of looming quantum capability triggers sell-offs or chain splits before any actual machine exists.
None of these guarantees a net reduction in circulating supply that is cleanly bullish. They could just as easily produce a messy repricing, contentious forks, and a one-time wave of attacks on legacy wallets.
Whether supply “comes down” hinges on policy choices, uptake rates, and the attacker’s capabilities.
SHA-256-based proof-of-work is relatively robust because Grover’s algorithm only gives a quadratic speedup.
The more subtle risk lies in the mempool, where a transaction spending from a hashed-key address reveals its public key while it waits to be mined.
Recent analyses describe a hypothetical “sign-and-steal” attack in which a quantum attacker watches the mempool, quickly recovers a private key, and races a conflicting transaction with a higher fee.
What the math actually says
The physics and standards roadmap agree that quantum does not automatically break Bitcoin overnight.
There is a window, possibly a decade or more, for a deliberate post-quantum migration. However, that migration is costly and politically hard, and a non-trivial share of today’s supply already sits in quantum-exposed outputs.
Saylor is directionally right that Bitcoin can harden. The network can adopt post-quantum signatures, upgrade vulnerable outputs, and emerge with stronger cryptographic guarantees.
However, the claim that “lost coins stay frozen” and “supply comes down” assumes a clean transition in which governance cooperates, owners migrate over time, and attackers never exploit the lag.
Bitcoin can come out stronger, with upgraded signatures and possibly some effectively burned supply, but only if developers and large holders move early, coordinate governance, and manage the transition without triggering panic or large-scale theft.
Whether Bitcoin grows stronger depends less on quantum capability timelines than on whether the network can execute a messy, expensive, politically fraught upgrade before the physics catches up. Saylor’s confidence is a bet on coordination, not cryptography.
Source: https://cryptoslate.com/michael-saylor-says-quantum-will-harden-bitcoin-but-hes-ignoring-the-1-7-million-coins-already-at-risk/
