BTQ’s Bitcoin Quantum Testnet and “Old BTC” Risk, Explained

Key takeaways

• Bitcoin’s quantum risk focuses on exposed public keys and signature security.

• The BTQ testnet explores post-quantum signatures in a Bitcoin-like environment.

• Post-quantum signatures significantly increase transaction sizes and block space requests.

• “Legacy BTC risk” is concentrated in existing product types and concerns reuse models.

BTQ Technologies said it launched a Bitcoin Quantum testnet on January 12, 2026, a Bitcoin-like network designed to test post-quantum signatures without touching the governance of the Bitcoin mainnet.

The idea is that BTQ would replace Bitcoin’s current signature scheme with ML-DSA, the module-lattice signature standard formalized by the National Institute of Standards and Technology (NIST) as Federal Information Processing Standard (FIPS) 204, for post-quantum security assumptions.

It is worth remembering that in most Bitcoin quantum threat models, the key prerequisite is exposure to the public key. If a public key is already visible on-chain, a sufficiently powerful future quantum computer could, in theory, attempt to retrieve the corresponding private key offline.

Did you know? BTQ Technologies is a research-driven company working on post-quantum cryptography and blockchain security. Its Bitcoin Quantum testnet is designed to study the behavior of quantum-resistant signatures in a Bitcoin-like system.

What quantum changes?

Most discussions of Bitcoin’s quantum risks focus on digital signatures, not the supply of Bitcoin coins or the idea that a quantum computer could magically guess random wallets.

The specific concern is that a cryptographically relevant quantum computer (CRQC) could run Shor’s algorithm to solve the discrete logarithm problem efficiently enough to derive a private key from a known public key, undermining both the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Schnorr-based signature.

Chaincode Labs considers it the dominant quantum threat model for Bitcoin, as it could enable unauthorized spending by producing valid signatures.

The risk can be divided into long-range exposure, where public keys are already visible on-chain for certain types of older scripts or due to their reuse, and short-range exposure, where public keys are revealed when a transaction is broadcast and awaits confirmation, creating a narrow time window.

Of course, no quantum computer poses an immediate risk to Bitcoin today, and mining-related impacts should be treated as a separate and more limited discussion than signature breaking.

Did you know? Shor’s algorithm already exists in mathematical form, but its operation requires a large, fault-tolerant quantum computer. If such machines are built, they could be used to derive private keys from exposed public keys.

What BTQ built and why it’s interesting

BTQ’s Bitcoin Quantum testnet is essentially a fork based on Bitcoin Core that replaces one of Bitcoin’s most important primitives, signing.

In its announcement, BTQ said the testnet replaces ECDSA with ML-DSA, the module-array signature scheme standardized by NIST as FIPS 204 for post-quantum digital signatures.

This change imposes a set of technical compromises. ML-DSA signatures are approximately 38 to 72 times larger than ECDSA signatures, so the testnet increases the block size limit to 64 mebibytes (MiB) to make room for additional transaction data.

The company also treats the network as a full lifecycle testing ground, supporting wallet creation, transaction signing and verification, and mining, as well as core infrastructure such as a block explorer and mining pool.

In short, the practical value of the testnet is that it transforms post-quantum Bitcoin into a performance and coordination experiment.

Where the old BTC risk is concentrated

When analysts talk about “old BTC risk” in a post-quantum context, they are usually referring to public keys already exposed on-chain.

A future CRQC capable of running Shor’s algorithm could, in theory, use these public keys to derive corresponding private keys and then produce valid spends.

There are three types of outputs immediately vulnerable to long-range attacks, particularly because they place elliptical curve public keys directly into the lock script (ScriptPubKey): Pay-to-Public-Key (P2PK), Pay-to-Multi-Signature (P2MS), and Pay-to-Taproot (P2TR).

The distribution is unequal:

• P2PK represents a tiny share of today’s unspent transaction results (UTXO), about 0.025%, but it locks up a disproportionate share of the value of BTC, about 8.68% or 1,720,747 Bitcoin (BTC), mostly dormant coins from the Satoshi era.

• P2MS accounts for around 1.037% of UTXOs, but reports estimate that it only secures around 57 BTC.

• P2TR is common in number, around 32.5% of UTXOs, but low in value in the same snapshot, around 0.74% or 146,715 BTC. Its exposure is related to Taproot’s key path design, where a modified public key is visible on-chain.

Address reuse can also turn what would otherwise be a “time spent” exposure into a long-range exposure, because once a public key appears on-chain, it remains visible.

BTQ’s own messaging uses this exposed key framing to claim that the potentially affected pool is large. It cites 6.26 million BTC as exposed, which is part of why the company says testing post-quantum signatures in a Bitcoin-like environment is worth doing now.

What’s next for Bitcoin?

In the short term, the most concrete work is around observability and preparedness.

As we explored, the signature threat model is driven by exposure to the public key. This is why discussions often focus on how Bitcoin’s existing wallet and scripting practices reveal public keys earlier, as with certain types of legacy scripts, or reduce exposure by default, as with common wallet behavior that avoids reuse.

“Old BTC risk” is therefore largely a property of historical production types and reuse patterns and not something that suddenly applies equally to every coin.

The second, more practical constraint is capacity. Even if a post-quantum migration were socially accepted, it would still remain a block space and coordination problem.

River’s explanation summarizes academic estimates showing how timelines are sensitive to assumptions. A theoretical scenario in which all transactions are migrations can significantly reduce timelines, while a more realistic allocation of block space extends the transition over several years, even before accounting for governance and adoption.

BTQ’s testnet fits into this bucket. It allows engineers to observe the operational costs of post-quantum signatures, including larger data sizes and different limits, in a Bitcoin-like environment, without pretending that Bitcoin is imminent.

Did you know? The main factor holding quantum computers back is noise or errors. Today’s qubits frequently make errors, so fault-tolerant error correction is necessary. This means using many physical qubits to produce a small number of reliable “logical” qubits before running the lengthy calculations needed to break real-world cryptography.

What Bitcoin-Level Mitigation Could Look Like

At the protocol level, quantum preparation is often approached as a sequenced path.

Post-quantum signature schemes tend to be much larger than elliptic curve signatures, which have implications for transaction size, bandwidth, and verification costs; the same types of trade-offs that BTQ surfaces when experimenting with ML-DSA.

This is why some Bitcoin proposals focus first on reducing the most structural exposure within existing scripting designs, without immediately committing the network to a specific post-quantum signing algorithm.

A recent example is Bitcoin Improvement Proposal (BIP) 360, which proposes a new output type called Pay-to-Tapscript-Hash (P2TSH). P2TSH is almost identical to Taproot but removes the expense of the key path, the path that relies on elliptic curve signatures, leaving a native tapscript route that can be used in a way that avoids this key path dependency.

Related ideas have been circulating on the Bitcoin developer mailing list under the broader Taproot “hash-only” or “script-spend” family, often discussed as Pay-to-Quantum-Resistant-Hash (P2QRH) style constructs. These proposals again aim to reuse Taproot’s structure while avoiding quantum-vulnerable key spends.

Above all, none of this is resolved. The main point is that Bitcoin’s likely response, if it moves, is debated as a progressive coordination problem that balances conservatism, compatibility, and the cost of changing transaction formats.

The BTQ testnet is quite revealing

BTQ’s Bitcoin Quantum testnet doesn’t settle the quantum debate, but it does make two points harder to ignore.

First, the most credible threat models focus on places where public keys are already exposed, which is why “old coin” models continue to appear in scans.

Second, post-quantum Bitcoin is an engineering and coordination problem. BTQ Technologies’ own design choices, such as moving to ML-DSA and lifting block limits to accommodate much larger signatures, illustrate these tradeoffs.

Ultimately, the testnet is a sandbox for measuring costs and constraints and should not be taken as proof that Bitcoin is imminent.