Bitcoin's security model relies on cryptographic assumptions that hold against classical computers. Sufficiently powerful quantum computers, when they exist, will violate two of those assumptions: they will be able to derive private keys from public keys (breaking ECDSA), and they will be able to find hash collisions much faster than classical computers can (weakening SHA-256). The first capability is the more urgent threat to Bitcoin custody. The second is more distant and more theoretical.
Quantum computers powerful enough to break Bitcoin do not exist yet. They may not exist for a decade or more. But Bitcoin custody is a multi-decade exercise, and the choices custody providers make now — about address types, key reuse, and quantum-resistant migration roadmaps — determine whether the keys you generate today remain secure when the threat materializes.
Bitcoin uses ECDSA — the Elliptic Curve Digital Signature Algorithm — to verify ownership of funds. The private key is held secret; the public key is derived from it; the address is derived from the public key by hashing. When a holder spends Bitcoin, they reveal the public key as part of the transaction (this is how the network verifies the signature). Until that moment, only the hashed address is visible on-chain.
A sufficiently powerful quantum computer running Shor's algorithm can derive the private key from the public key. This breaks ECDSA. The practical implication: Bitcoin held at addresses where the public key has been revealed becomes vulnerable. Bitcoin held at addresses where only the hash has been revealed remains protected by the hash function, which is much more resistant to quantum attack.
This means the quantum threat is not uniform across all Bitcoin. The vulnerable Bitcoin is the Bitcoin held at addresses where the public key is already exposed — historically, that includes early P2PK transactions (including most of Satoshi's coins) and addresses that have been reused after a spend.
The Bitcoin blockchain is permanent and public. Every transaction ever made is recorded forever. Public keys revealed in transactions are visible to anyone, indefinitely. The implication: an adversary who anticipates having quantum computing capability in the future is rationally collecting public keys now, intending to derive private keys later.
This is called “harvest now, decrypt later”. It is the standard threat model for any data that needs to remain confidential across long time horizons. Nation-states with serious cryptographic intelligence programs are presumed to be collecting Bitcoin public keys, particularly those associated with substantial holdings or with positions of interest (Satoshi-era coins, identifiable corporate treasuries, government seizures).
The practical consequence: address reuse is a far more serious operational risk than it appears. Every time a holder reuses an address, the public key behind that address is exposed and can be harvested. Bitcoin best practice has always recommended single-use addresses; the quantum threat raises the cost of ignoring this practice.
Mature custody providers have begun publishing quantum-migration roadmaps that address how they will transition client holdings to quantum-resistant signature schemes when those schemes are standardized and adopted at the Bitcoin protocol level. The roadmaps are necessarily speculative — quantum-resistant Bitcoin requires a protocol-level soft or hard fork, and the schemes have not yet been chosen — but the existence of a roadmap is itself a positive evaluation signal.
Specific things to look for: a published statement on quantum-readiness, a stated policy of avoiding address reuse for all client holdings, an awareness of the Bitcoin protocol-level proposals (FROST, Schnorr aggregation, hash-based signature schemes), and a stated commitment to migrate client UTXOs to new address types as the protocol upgrades. Custody providers that cannot articulate any of these are not paying serious attention to a multi-decade risk.
For holders managing their own keys, the most important practical step is avoiding address reuse. Modern hardware wallets and software wallets generate fresh addresses for every receive operation by default; the holder needs only to not override this behavior. Specifically, never copy an old address to receive new funds. Each transaction should go to a fresh address.
For holders using custodial or institutional arrangements, the question is whether the provider follows the same practice at the address level. Most do; the few that do not should be evaluated for that gap. Multi-institution custody arrangements typically use single-use addresses by default and migrate UTXOs across protocol upgrades as part of standard operations.
For holders making multi-decade custody decisions, the quantum threat is one of several long-horizon risks worth weighting. It is not the most urgent risk in 2026, but it is a real risk that becomes more material every year. Custody arrangements selected today will be tested against threats that did not exist when the arrangement was set up; the providers most likely to handle that transition well are those who have publicly articulated how they will handle it.
Quantum computing is not an emergency today, but it is a real threat on the horizon for any custody arrangement intended to hold Bitcoin across multiple decades. The two operational responses available now — avoid address reuse, and prefer providers with quantum-migration roadmaps — are not technically difficult. They simply require taking the threat seriously enough to act on it before it becomes urgent.
Sourced from Spark.Money research; analysis adapted for Proof of Custody's custody-comparison editorial scope.
Get weekly custody analysis and platform updates delivered to your inbox.