Google’s decision to target full migration to post-quantum cryptography by 2029 has sharpened the timeline for risk planning across digital-asset infrastructure. For custodians, exchanges and treasury teams with Bitcoin exposure, the announcement turns a long-term theoretical issue into a near-term operational agenda.
At the center of that agenda is Bitcoin’s current security model. Bitcoin still relies primarily on ECDSA-style signatures for control of private keys and on SHA-256 for proof-of-work and address derivation, which means quantum risk does not affect every layer of the network in the same way. Shor’s algorithm is the more direct threat because it could, in principle, recover private keys from revealed public keys, while Grover’s algorithm weakens symmetric hashing more gradually by reducing its effective strength rather than breaking it outright.
The most immediate exposure is tied to revealed public keys
The highest-risk category is made up of funds whose public keys have already been exposed on-chain. Once a public key is revealed in a transaction, the security assumption changes, because a sufficiently capable quantum attacker could try to derive the private key during the period between broadcast and settlement.
By contrast, outputs protected only by a public key hash face a lower immediate risk. Addresses that have not yet revealed the public key require an additional pre-image step before a private key attack becomes possible, which raises the amount of work required for an attacker.
Multi-signature arrangements add complexity, but they do not remove the underlying issue. If enough constituent public keys are exposed and an attacker can compromise the required signing threshold, multi-sig structures can still become vulnerable despite their additional operational safeguards.
The scale of potential exposure remains contested. Some of the research and market commentary cited alongside Google’s announcement suggests that between 25% and 35% of Bitcoin’s supply, described as more than 6 million BTC, could be theoretically exposed depending on address types and key reuse. A much smaller segment, often cited at around 10,200 BTC, is presented as immediately at risk where public keys are already visible.
The urgency is now operational, not just theoretical
Not everyone agrees on how close the threat really is. Some firms argue that the practical danger is still overstated because there remains a substantial engineering gap between today’s systems and fault-tolerant quantum machines capable of exploiting ECDSA at scale. Even so, Google’s 2029 target changes the planning horizon for firms that cannot afford to wait for perfect certainty.
That is why the most important work now lies in preparation. Custodians and treasury teams need to inventory addresses that have revealed public keys, strengthen key-rotation policies and build migration paths toward post-quantum cryptographic standards. Those steps will not be simple, because any transition will require coordination across protocol-level signatures, client software, hardware wallets and institutional governance processes.
For Bitcoin-facing institutions, the practical message is clear. The priority is no longer debating whether quantum risk matters in the abstract, but documenting where exposure already exists and building credible plans to reduce it before the migration window closes.
