Bitcoin Quantum Risk Debate Heats Up as Glassnode Quantifies Exposure and France Sets Timeline

Glassnode Flags 1.92M BTC Quantum-Exposed as France Sets 2027 Encryption Deadline

In today’s Bitcoin news, France’s cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) announced at the France Quantum conference that it will stop certifying security systems lacking quantum-resistant encryption from 2027, with a full migration deadline set for 2030 for government and critical infrastructure operators. The announcement coincides with Glassnode’s May 2026 report, which estimates that 6.04 million BTC—about 30.2% of total supply—has publicly visible keys on-chain.

The move represents one of the clearest national timelines yet for phasing out classical cryptography, arriving as attention grows around Bitcoin’s theoretical exposure to future quantum computing.

Glassnode Breakdown: 6.04 Million BTC at Risk

Glassnode divides the exposed supply into two categories. The first is 1.92 million BTC (around 9.6%), labeled structurally exposed. These include outputs where public keys are directly revealed, such as early P2PK transactions, legacy multisig setups, and Taproot outputs.

The second is 4.12 million BTC (about 20.6%), classified as operationally exposed. This includes coins made vulnerable through address reuse, partial spending, or custodial wallet practices.

The report notes that exchanges account for roughly 1.63–1.66 million BTC within the operational exposure group. In contrast, sovereign holdings from the U.S., U.K., and El Salvador reportedly show no exposure due to safer address practices. The remaining 13.99 million BTC (about 69.8%) is considered unexposed under Glassnode’s framework.

The core risk comes from Bitcoin’s ECDSA signature system on the secp256k1 curve. In theory, a sufficiently advanced quantum computer running Shor’s algorithm could derive private keys from exposed public keys, potentially compromising funds once a so-called “Q-Day” arrives. Hash-based outputs like P2PKH remain protected until spent.

France’s Post-Quantum Plan

ANSSI described the transition to post-quantum cryptography (PQC) as a strategic shift involving governance and sovereignty as much as technical upgrades.

Its roadmap requires organizations to inventory systems by end-2026, map dependencies by end-2027, and complete PQC migration by 2030.

This aligns with broader global expectations. Google is targeting 2029 for its own migration, while industry estimates suggest a cryptographically relevant quantum computer could emerge around 2030. NIST has also indicated a phaseout of RSA and ECC by roughly 2030–2035, with major tech firms already adjusting roadmaps.

Research presented at DEF CON 33 suggests that even a few thousand logical qubits could theoretically threaten secp256k1 under optimistic assumptions, though most experts still place practical risk further out.

Earlier studies vary: Deloitte estimated up to 4 million BTC could be exposed, while Chaincode Labs placed the range between 4 million and 10 million BTC. Glassnode’s 6.04 million estimate falls within this range but uses stricter classification criteria.