Michael Saylor made a characteristically bold statement on Bitcoin and Quantum Leap on December 16th.
“Bitcoin’s Quantum Leap: Quantum computing will strengthen Bitcoin, not destroy it. The network will be upgraded, active coins will be migrated, and lost coins will remain frozen. Security will increase. Supply will decrease. Bitcoin will become stronger.”
This statement captures an optimistic case for Bitcoin's post-quantum future. Still, the technical record reveals a more troubling picture in which physics, governance, and timing will determine whether a transition strengthens the network or precipitates a crisis.
Quantum will not destroy Bitcoin (if the transition is done in time)
Thaler's central argument is based on the concept of directional truth. Bitcoin’s main quantum vulnerability lies in the digital signature, not the proof of work.
Networking uses ECDSA and Schnorr via secp256k1. Scholl's algorithm will allow fault-tolerant quantum computers to derive private keys from public keys once they reach around 2,000 to 4,000 logical qubits.
Current devices operate at speeds orders of magnitude below that threshold, and quantum computers associated with cryptography are at least a decade away.
NIST has already perfected the necessary defense tools for Bitcoin. The agency has published two post-quantum digital signature standards, ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), as FIPS 204 and 205, with FN-DSA (Falcon) being developed as FIPS 206.
These schemes resist quantum attacks and could be integrated into Bitcoin via new output types or hybrid signatures. Bitcoin Optech follows up on live proposals for post-quantum signature aggregation and tap root-based construction with performance experiments showing that SLH-DSA can work on Bitcoin-like workloads.
What Saylor's framework leaves out is cost. A study by the Journal of British Blockchain Association argues that a realistic transition is a defensive downgrade. This means improved security against quantum threats, but block capacity may be reduced by about half.
Current post-quantum signatures are large in size and expensive to verify, increasing the cost of nodes. Transaction fees increase as each signature consumes more block space.
Governance is difficult. Bitcoin has no central authority mandating upgrades. Post-quantum soft forks require overwhelming consensus among developers, miners, exchanges, and large holders, all moving before the arrival of cryptographically related quantum computers.
A recent analysis of A16z highlights that coordination and timing pose greater risks than the encryption itself.
Leaked coins are not frozen assets but targets
Saylor’s assertion that “active coins will migrate and lost coins will remain frozen” oversimplifies the on-chain reality. The vulnerability depends entirely on the type of address and whether the public key is already visible.
The initial public key payment output places the raw public key directly on the chain and makes it publicly available forever.
Standard P2PKH addresses and SegWit P2WPKH addresses hide the public key behind a hash until the coins are exhausted. Once the coins are depleted, the keys become visible and can be quantum stolen.
The Taproot P2TR output encodes the public key into the output from day one, so the UTXO is public even before you move it.
Analysis estimates that approximately 25% of all Bitcoins are already contained in outputs containing public keys. Deloitte breakdowns and recent research focused on Bitcoin converge on this number, including early large P2PK balances, custodian activity, and modern Taproot usage.
On-chain research suggests that there is approximately 1.7 million BTC in P2PK output during the “Satoshi era” and hundreds of thousands more BTC in Taproot output, where keys were exposed.
Some “lost” coins are unfrozen and have no owner, so they could represent a bounty for the first attacker with a capable machine.
Coins that have never revealed their public keys (disposable P2PKH or P2WPKH) are protected by hashed addresses. Glover's algorithm only provides square root speedup and can be supplemented with parameter tuning.
The part of the supply most at risk is precisely the dormant coins locked to public keys that have already been made public.
Impacts on supply are uncertain and will not occur automatically
Thaler's assertion that “safety will improve and supply will decline” is clearly divided into mechanisms and speculation.
Post-quantum signatures such as ML-DSA and SLH-DSA are designed to remain secure for large-scale, fault-tolerant quantum computers and are now part of official standards.
Bitcoin-specific migration ideas include hybrid outputs that require both classical and post-quantum signatures, as well as proposals for signature aggregation to reduce chain bloat.
However, supply dynamics do not occur automatically, and three competing scenarios exist.
The first is “shrinking supply through abandonment,” where coins of weak production that the owner never upgrades are treated as lost or explicitly blocklisted. The second is “supply distortion due to theft” where quantum attackers leak exposed wallets.
The remaining scenario is a “pre-physics panic,” in which the realization of impending quantum capabilities triggers a stock market crash or chain split before actual machines exist.
None of these guarantee a net reduction in circulating supply that is completely bullish. They can easily create messy reprices, contentious forks, and one-off attacks on legacy wallets.
Whether or not supply “decreases” depends on policy choices, adoption rates, and attacker capabilities.
The SHA-256-based proof-of-work is relatively robust, as Grover's algorithm only provides a quadratic speedup.
A more subtle risk lies in memory pools, where transaction spending from hashed key addresses reveals the public key while waiting to be mined.
A recent analysis describes a hypothetical “sign and steal” attack in which a quantum attacker monitors a memory pool, rapidly recovers private keys, and competes competing transactions for higher fees.
What Mathematics Actually Shows
Physics and standard roadmaps agree that quantum will not automatically destroy Bitcoin overnight.
A planned post-quantum transition probably has more than a decade to go. But that transition will be costly and politically difficult, and a significant proportion of today's supply already resides in quantum-exposed products.
Saylor is right that Bitcoin has the potential to consolidate. Networks can adopt post-quantum signatures, upgrade weak outputs, and emerge with stronger cryptographic guarantees.
However, the argument that “lost coins remain frozen” and “supply dwindles” assumes a clean transition, where governance cooperates, ownership transitions over time, and attackers never exploit the delay.
Bitcoin could become more powerful with upgraded signatures and, in some cases, effective supply, but only if developers and large holders act early, adjust governance, and manage the transition without causing panic or mass theft.
Whether Bitcoin becomes stronger depends less on the timeline for quantum capabilities and more on whether the network can perform messy, expensive, and politically difficult upgrades before physics catches up. Thaler's confidence is in coordination, not encryption.
