“Old BTC risk” is concentrated in legacy output types and address reuse patterns.
BTQ Technologies said it had launched a Bitcoin Quantum testnet on Jan. 12, 2026, a Bitcoin-like network designed to trial post-quantum signatures without touching Bitcoin mainnet governance.
The idea is that BTQ would replace Bitcoin’s current signature scheme with ML-DSA, the module-lattice signature standard formalized by the National Institute of Standards and Technology (NIST) as Federal Information Processing Standard (FIPS) 204, for post-quantum security assumptions.
It is worth remembering that in most Bitcoin quantum-threat models, the key precondition is public-key exposure. If a public key is already visible onchain, a sufficiently capable future quantum computer could, in theory, attempt to recover the corresponding private key offline.
Did you know? BTQ Technologies is a research-focused firm working on post-quantum cryptography and blockchain security. Its Bitcoin Quantum testnet is designed to study how quantum-resistant signatures behave in a Bitcoin-like system.
Most Bitcoin quantum-risk discussions focus on digital signatures, not on Bitcoin’s coin supply or the idea that a quantum computer could magically guess random wallets.
The specific concern is that a cryptographically relevant quantum computer (CRQC) could run Shor’s algorithm to solve the discrete logarithm problem efficiently enough to derive a private key from a known public key, undermining both the Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr-based signing.
Chaincode Labs frames this as the dominant quantum threat model for Bitcoin because it could enable unauthorized spending by producing valid signatures.
The risk can be separated into long-range exposure, where public keys are already visible onchain for some older script types or due to reuse, and short-range exposure, where public keys are revealed when a transaction is broadcast and awaits confirmation, creating a narrow time window.
Of course, no quantum computer today poses an immediate risk to Bitcoin, and mining-related impacts should be treated as a separate and more constrained discussion compared with signature breakage.
Did you know? Shor’s algorithm already exists as mathematics, but it requires a large, fault-tolerant quantum computer to run. If such machines are built, they could be used to derive private keys from exposed public keys.
BTQ’s Bitcoin Quantum testnet is essentially a Bitcoin Core-based fork that swaps out one of Bitcoin’s most important primitives, signatures.
In its announcement, BTQ said the testnet replaces ECDSA with ML-DSA, the module-lattice signature scheme standardized by the NIST as FIPS 204 for post-quantum digital signatures.
This change forces a set of engineering trade-offs. ML-DSA signatures are roughly 38-72 times larger than ECDSA, so the testnet raises the block size limit to 64 mebibytes (MiB) to make room for the additional transaction data.
The company also treats the network as a full lifecycle proving ground, supporting wallet creation, transaction signing and verification, and mining, along with basic infrastructure such as a block explorer and mining pool.
In short, the testnet’s practical value is that it turns post-quantum Bitcoin into a performance and coordination experiment.
When analysts talk about “old BTC risk” in a post-quantum context, they are usually referring to public keys that are already exposed onchain.
A future CRQC capable of running Shor’s algorithm could, in theory, use those public keys to derive the corresponding private keys and then produce valid spends.
There are three output types immediately vulnerable to long-range attacks, specifically because they place elliptic-curve public keys directly in the locking script (ScriptPubKey): Pay-to-Public-Key (P2PK), Pay-to-Multi-Signature (P2MS) and Pay-to-Taproot (P2TR).
The distribution is uneven:
Address reuse can also turn what would otherwise be “spend-time” exposure into long-range exposure because once a public key appears onchain, it remains visible.
BTQ’s own messaging uses this exposed-key framing to argue that the potentially affected pool is large. It cites 6.26 million BTC as exposed, which is part of why the company says testing post-quantum signatures in a Bitcoin-like environment is worth doing now.
In the near term, the most concrete work is observability and preparedness.
As explored, the signature threat model is driven by public-key exposure. This is why discussions often center on how Bitcoin’s existing wallet and scripting practices either reveal public keys early, as with some legacy script types, or reduce exposure by default, as with common wallet behavior that avoids reuse.
“Old BTC risk” is therefore largely a property of historical output types and reuse patterns and not something that suddenly applies evenly to every coin.
The second, more practical constraint is capacity. Even if a post-quantum migration were socially agreed upon, it would still be a blockspace and coordination problem.
River’s explainer summarizes academic estimates showing how sensitive timelines are to assumptions. A theoretical scenario in which all transactions are migrations can compress timelines dramatically, while more realistic blockspace allocation stretches a transition into years, even before accounting for governance and adoption.
BTQ’s testnet fits into that bucket. It lets engineers observe the operational costs of post-quantum signatures, including larger data sizes and different limits, in a Bitcoin-like setting, without claiming that Bitcoin is imminently breakable.
Did you know? The biggest factor holding quantum computers back is noise, or errors. Today’s qubits make mistakes frequently, so fault-tolerant error correction is required. This means using many physical qubits to produce a small number of reliable “logical” qubits before running the long computations needed to break real-world cryptography.
At the protocol level, quantum preparedness is often discussed as a sequenced path.
Post-quantum signature schemes tend to be much larger than elliptic-curve signatures, which have knock-on effects for transaction size, bandwidth and verification costs; the same kinds of trade-offs BTQ is surfacing by experimenting with ML-DSA.
That is why some Bitcoin proposals focus first on reducing the most structural exposure within existing script designs, without committing the network to a specific post-quantum signature algorithm immediately.
A recent example is Bitcoin Improvement Proposal (BIP) 360, which proposes a new output type called Pay-to-Tapscript-Hash (P2TSH). P2TSH is nearly identical to Taproot but removes the key-path spend, the path that relies on elliptic-curve signatures, leaving a tapscript-native route that can be used in ways intended to avoid that key-path dependency.
Related ideas have circulated on the Bitcoin developer mailing list under the broader “hash-only” or “script-spend” Taproot family, often discussed as Pay-to-Quantum-Resistant-Hash (P2QRH)-style constructions. These proposals again aim to reuse Taproot’s structure while skipping the quantum-vulnerable key spend.
Importantly, none of this is settled. The main point is that Bitcoin’s likely response, if it moves, is debated as an incremental coordination problem that balances conservatism, compatibility and the cost of changing the transaction format.
BTQ’s Bitcoin Quantum testnet does not settle the quantum debate, but it does make two points harder to ignore.
First, most credible threat models focus on where public keys are already exposed, which is why “old coin” patterns keep appearing in analyses.
Second, post-quantum Bitcoin is an engineering and coordination problem. BTQ Technologies’ own design choices, such as moving to ML-DSA and lifting block limits to accommodate much larger signatures, illustrate those trade-offs.
Ultimately, the testnet is a sandbox for measuring costs and constraints and should not be seen as proof that Bitcoin is imminently breakable.
