BTQ Technologies announced the launch of its Bitcoin Quantum testnet on January 12, 2026. This network is designed to trial post-quantum signatures in an environment similar to Bitcoin, without affecting the Bitcoin mainnet's governance.
The objective of BTQ is to replace Bitcoin's current signature scheme with ML-DSA. ML-DSA is the module-lattice signature standard formalized by the National Institute of Standards and Technology (NIST) as Federal Information Processing Standard (FIPS) 204, intended for post-quantum security assumptions.
It is important to recall that in most Bitcoin quantum-threat models, the critical precondition is the exposure of public keys. If a public key is already visible on the blockchain, a sufficiently advanced future quantum computer could potentially attempt to recover the corresponding private key offline.
BTQ Technologies is a research-focused firm concentrating on post-quantum cryptography and blockchain security. Its Bitcoin Quantum testnet is specifically built to analyze how quantum-resistant signatures perform within a system akin to Bitcoin.
Understanding Quantum's Impact
Most discussions regarding Bitcoin's quantum risk center on digital signatures, not on the coin supply or the possibility of quantum computers randomly guessing wallet keys.
The specific concern is that a cryptographically relevant quantum computer (CRQC) could execute Shor's algorithm. This algorithm can efficiently solve the discrete logarithm problem, enabling the derivation of a private key from a known public key, thereby compromising both the Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr-based signing methods.
Chaincode Labs characterizes this as the primary quantum threat model for Bitcoin, as it could allow for unauthorized spending by generating valid signatures.
This risk can be categorized into long-range exposure, where public keys are already visible on-chain due to older script types or address reuse, and short-range exposure, where public keys are revealed when a transaction is broadcast and awaiting confirmation, creating a brief vulnerability window.
Currently, no quantum computer poses an immediate threat to Bitcoin. Mining-related impacts should be considered a separate and more confined issue compared to the potential breakage of signature schemes.
Shor's algorithm is a mathematical concept that exists today, but its practical application requires a large, fault-tolerant quantum computer. If such machines are developed, they could be used to derive private keys from exposed public keys.
BTQ's Testnet and Its Significance
BTQ's Bitcoin Quantum testnet is essentially a fork of Bitcoin Core that modifies one of Bitcoin's most critical components: signatures.
In its announcement, BTQ stated that the testnet replaces ECDSA with ML-DSA, the module-lattice signature scheme standardized by NIST as FIPS 204 for post-quantum digital signatures.
This modification necessitates a series of engineering trade-offs. ML-DSA signatures are substantially larger than ECDSA signatures, approximately 38 to 72 times greater. Consequently, the testnet has increased the block size limit to 64 mebibytes (MiB) to accommodate the additional transaction data.
The company has designed the network as a comprehensive proving ground, supporting wallet creation, transaction signing and verification, and mining. It also includes essential infrastructure such as a block explorer and a mining pool.
In essence, the practical value of this testnet lies in its function as a performance and coordination experiment for a post-quantum version of Bitcoin.
Concentration of "Old BTC" Risk
When analysts discuss "old BTC risk" in the context of post-quantum security, they are typically referring to public keys that are already exposed on the blockchain.
A future CRQC capable of running Shor's algorithm could, in theory, utilize these public keys to derive the corresponding private keys and then generate valid spending transactions.
Three output types are immediately vulnerable to long-range attacks because they directly embed elliptic-curve public keys within the locking script (ScriptPubKey): Pay-to-Public-Key (P2PK), Pay-to-Multi-Signature (P2MS), and Pay-to-Taproot (P2TR).
The distribution of these vulnerable outputs is uneven:
- •P2PK represents a very small fraction of current unspent transaction outputs (UTXOs), approximately 0.025%. However, it secures a disproportionately large share of BTC value, around 8.68% or 1,720,747 Bitcoin (BTC). This value is largely composed of dormant coins from the Satoshi era.
- •P2MS accounts for about 1.037% of UTXOs, but it secures an estimated 57 BTC.
- •P2TR is common by count, making up around 32.5% of UTXOs. However, its value is relatively small in the same snapshot, approximately 0.74% or 146,715 BTC. Its exposure is linked to Taproot's key-path design, where a tweaked public key is visible on the blockchain.
Address reuse can also transform what would typically be "spend-time" exposure into long-range exposure. This occurs because once a public key is revealed on the blockchain, it remains visible indefinitely.
BTQ's own communication highlights this exposed-key framing to suggest that the potentially affected pool of Bitcoin is substantial. The company cites 6.26 million BTC as exposed, which contributes to their rationale for testing post-quantum signatures in a Bitcoin-like environment now.
The Future Path for Bitcoin
In the immediate future, the most tangible efforts will focus on observability and preparedness.
As discussed, the signature threat model is driven by public-key exposure. This is why discussions frequently revolve around how Bitcoin's existing wallet and scripting practices either expose public keys early, as seen with some legacy script types, or minimize exposure by default, as with common wallet behaviors that avoid address reuse.
Therefore, "old BTC risk" is largely a characteristic of historical output types and reuse patterns, rather than a uniform risk applied to every coin.
A second, more practical constraint is capacity. Even if a post-quantum migration were to gain social consensus, it would still present challenges related to blockspace and coordination.
River's explainer summarizes academic estimates that illustrate how sensitive timelines are to various assumptions. A theoretical scenario where all transactions are migrations could compress timelines significantly. In contrast, a more realistic allocation of blockspace would extend a transition over several years, even before considering governance and adoption challenges.
BTQ's testnet aligns with this practical consideration. It allows engineers to observe the operational costs associated with post-quantum signatures, including larger data sizes and different limits, within a Bitcoin-like setting. This is done without claiming that Bitcoin is imminently vulnerable.
The primary obstacle hindering the development of quantum computers is noise, or errors. Today's qubits are prone to frequent mistakes, necessitating fault-tolerant error correction. This involves using numerous physical qubits to create a small number of reliable "logical" qubits before undertaking the extensive computations required to break real-world cryptography.
Potential Bitcoin-Level Mitigations
At the protocol level, quantum preparedness is often conceptualized as a sequential process.
Post-quantum signature schemes are typically much larger than elliptic-curve signatures, leading to consequential effects on transaction size, bandwidth, and verification costs. These are the same types of trade-offs that BTQ is surfacing through its experiments with ML-DSA.
Consequently, some Bitcoin proposals prioritize reducing the most structural exposure within existing script designs, without immediately committing the network to a specific post-quantum signature algorithm.
A recent example is Bitcoin Improvement Proposal (BIP) 360, which introduces a new output type known as Pay-to-Tapscript-Hash (P2TSH). P2TSH is nearly identical to Taproot but eliminates the key-path spend, which relies on elliptic-curve signatures. This leaves a tapscript-native route that can be utilized in ways designed to bypass that key-path dependency.
Related concepts have been discussed on the Bitcoin developer mailing list under the broader "hash-only" or "script-spend" Taproot family. These are often referred to as Pay-to-Quantum-Resistant-Hash (P2QRH)-style constructions. These proposals also aim to leverage Taproot's structure while omitting the quantum-vulnerable key spend.
Crucially, none of these approaches are finalized. The main point is that Bitcoin's likely response, if it proceeds with changes, is debated as an incremental coordination challenge that balances conservatism, compatibility, and the cost of altering the transaction format.
Insights from the BTQ Testnet
While BTQ's Bitcoin Quantum testnet does not resolve the quantum debate, it undeniably highlights two points that are becoming increasingly difficult to disregard.
Firstly, most credible threat models concentrate on situations where public keys are already exposed, which explains the recurring appearance of "old coin" patterns in analyses.
Secondly, the prospect of a post-quantum Bitcoin presents significant engineering and coordination challenges. BTQ Technologies' own design decisions, such as adopting ML-DSA and increasing block limits to accommodate much larger signatures, effectively illustrate these trade-offs.
Ultimately, the testnet serves as a sandbox for measuring costs and constraints. It should not be interpreted as evidence that Bitcoin is on the verge of imminent compromise.