The Blockchain Quantum Exposure Scanner operates at the technical layer: it identifies which specific signature schemes, wallet address types, and protocol constructs in a blockchain environment carry quantum vulnerability, and at which layer that vulnerability exists. This is the tool for a security engineer or blockchain developer who needs protocol-level visibility rather than a strategic exposure overview. The Blockchain Quantum Exposure Assessment covers governance, key management strategy, and HNDL risk. This scanner covers the technical substrate. Scan your blockchain's technical quantum exposure

What the Blockchain Quantum Exposure Scanner Does

Inputs:

  • Blockchain platform: Bitcoin, Ethereum or EVM-compatible, Solana, Polkadot, Hyperledger Fabric, or other
  • Signature schemes in use: ECDSA, Schnorr, EdDSA, BLS, and multi-signature constructs
  • Wallet address formats (for Bitcoin environments): P2PK, P2PKH, P2WPKH. these have meaningfully different quantum exposure profiles
  • Smart contract cryptographic operations, if applicable
  • Cross-chain bridge and interoperability protocols, if in scope

The scanner maps each selected element to its quantum vulnerability profile: which elements are vulnerable, at which security level, and what the exposure surface is. Output is a layered vulnerability map by blockchain component with quantum exposure rating per layer and an aggregate rating.

The technical distinction that determines priority is not just which signature scheme is in use. it is whether the public key is exposed on-chain. A Bitcoin P2PK output embeds the public key directly in the output script. It is visible permanently and is directly vulnerable once a CRQC exists. A P2PKH address hides the public key behind a hash until spending, which narrows the exposure window to the transaction broadcast period. Most commentary on blockchain quantum risk ignores this distinction entirely and treats all ECDSA as equally urgent. It is not. The scanner surfaces this difference explicitly, which changes the prioritisation output for custody operations and UTXO management programmes.

Blockchain wallet type quantum vulnerability matrix showing P2PK as critical (public key always exposed), P2PKH and P2WPKH as high (key exposed at spend), P2SH as medium, P2TR as low, and multisig as high WALLET TYPE QUANTUM VULNERABILITY MATRIX WALLET TYPE PUBLIC KEY EXPOSURE QUANTUM RISK SEVERITY P2PK Pay-to-Public-Key Always exposed on-chain 9.4 CRITICAL P2PKH Pay-to-Public-Key-Hash Exposed at spend time 7.8 HIGH P2WPKH SegWit v0 Exposed at spend time 7.5 HIGH P2SH Pay-to-Script-Hash Script-dependent, partial 5.6 MEDIUM P2TR Taproot (Schnorr) Key path exposed at spend 4.1 LOW KEY INSIGHT Public key exposure determines quantum urgency, not the signature scheme alone. P2PK funds are vulnerable from CRQC day one. P2PKH has a broadcast-window only.
Wallet type quantum vulnerability matrix. The critical distinction is public key exposure: P2PK outputs expose the key permanently on-chain, making them immediately vulnerable to a CRQC. P2PKH and SegWit addresses only expose the key during the spending transaction broadcast window.

Quantum Vulnerability by Signature Scheme and Wallet Type

ECDSA (secp256k1)

Used by Bitcoin (legacy addresses) and Ethereum (transaction signatures). Quantum-vulnerable. A sufficiently large fault-tolerant quantum computer running Shor's algorithm can derive the private key from a public key by solving the elliptic curve discrete logarithm problem. The urgency of this vulnerability depends on key exposure: a public key that has been exposed on-chain is vulnerable from the moment a CRQC exists. A key behind a hash has a narrow exposure window during transaction broadcast.

Schnorr signatures

Used by Bitcoin on Taproot (P2TR) addresses following the November 2021 Taproot upgrade (block 709,632, BIP-340). Also quantum-vulnerable via Shor's algorithm. The security properties are similar to ECDSA from a quantum perspective: both are elliptic curve discrete logarithm problems, and Shor's algorithm solves ECDLP for any elliptic curve. P2TR outputs expose the internal key at spend time, with a broadcast exposure window similar to P2PKH.

EdDSA (Ed25519)

Used by Solana, Cardano, and others. Also quantum-vulnerable. Ed25519 is based on the discrete logarithm problem on the Edwards25519 curve. a different construction from secp256k1, but the same class of mathematical problem (ECDLP). Shor's algorithm breaks ECDLP regardless of the specific curve. The vulnerability conclusion is the same as for ECDSA.

BLS signatures

Used in Ethereum's consensus layer for validator signatures and in some interoperability protocols. Quantum-vulnerable via quantum algorithms operating on the bilinear pairing structures underlying BLS. BLS is considered particularly challenging to migrate. not because it is generically harder than ECDSA, but because its signature aggregation properties have no direct equivalent in any current NIST-standardised PQC algorithm. Ethereum's consensus layer uses BLS to aggregate thousands of validator signatures into a single compact signature. Migration requires not just swapping an algorithm but potentially rearchitecting how validator attestations are aggregated at the protocol level. There is no drop-in replacement.

Bitcoin wallet address types

Address type Public key exposure Quantum exposure
P2PK Exposed on-chain permanently Highest. public key visible to any CRQC operator from the moment a CRQC exists
P2PKH Exposed at spend time only Narrow broadcast-window exposure during transaction propagation
P2WPKH (SegWit) Exposed at spend time only Similar profile to P2PKH
P2TR (Taproot/Schnorr) Internal key exposed at spend time Narrow broadcast-window exposure; different signature construct (Schnorr) but same vulnerability class

The P2PK category is the most urgent quantum security concern in Bitcoin custody operations. If you hold P2PK UTXOs and a CRQC were to exist today, those funds would be at immediate risk. P2PKH and SegWit funds face a narrower window. a CRQC operator would need to intercept the transaction during the broadcast-to-confirmation interval and construct a competing double-spend. This is not impossible but is a harder attack than the P2PK case.

For HNDL risk on long-lived blockchain data, the exposure profile of on-chain records is a separate consideration from key security. data written to a permanent public ledger carries its own retrospective decryption risk profile.

Our tools are designed as directional tools only. Advice and standards are changing rapidly and although we update tools as new information is periodically released they are not designed as a replacement for expert advice. If your organisation results show high-priority exposure the next step is to contact our team or speak to a qualified expert member.

How to Use the Blockchain Quantum Exposure Scanner

Step 1. Open the scanner. No registration required.

Step 2. Select your blockchain platform. This determines the default signature scheme assumptions and the wallet type options relevant to your environment.

Step 3. Select all signature schemes in use in your environment. If you operate multiple blockchain systems. for example, an enterprise Hyperledger Fabric deployment and Ethereum-compatible smart contract infrastructure. select all applicable schemes. The scanner handles multi-scheme environments.

Step 4. For Bitcoin environments: identify your wallet address format distribution. What proportion of your holdings, custody arrangements, or UTXO set uses P2PK versus P2PKH versus SegWit? If you do not have a precise breakdown, an order-of-magnitude estimate is sufficient. the priority distinction between P2PK and everything else is large enough that rough proportions produce useful output.

Step 5. If smart contracts are in scope: indicate whether contracts use on-chain signature verification operations. Smart contracts that verify ECDSA signatures as part of their execution logic carry their own exposure layer independent of the wallet layer.

Step 6. If cross-chain bridges are in scope: identify the cryptographic constructs used. Many cross-chain bridges rely on ECDSA multi-signature schemes for the bridge validator set. These are quantum-vulnerable and are often a higher-priority migration target than the base chains themselves, because bridge security failures can affect multiple chains simultaneously.

Step 7. Review the layered vulnerability map. Each layer returns an exposure rating.

Step 8. Identify your highest-exposure layers and note the primary exposure source for each.

How to Use the Scanner Results

The output is a technical exposure map. The action pathway depends on the exposure layer.

Highest-exposure items (direct public key exposure, on-chain ECDSA operations, P2PK UTXOs): flag for immediate inclusion in your PQC migration programme. For P2PK specifically, migrating these UTXOs to a hashed address type is a practical intermediate step that reduces exposure without requiring a full protocol-level migration.

Medium-exposure items (hash-protected keys, spend-time exposure): include in the migration programme with standard prioritisation. The risk is real but the attack is harder. manage it as a second-tranche item.

Low-exposure or transitional items: monitor quarterly. Low scores do not mean zero exposure. they mean the combination of factors in that layer presents less urgent risk.

Cross-chain bridge exposure: if your highest-exposure element is a cross-chain bridge, the migration path requires coordination with the bridge operator. This is a third-party dependency. Raise it with the bridge programme immediately. bridge operators have their own migration timelines and your migration cannot proceed faster than theirs.

For a complete view of strategic exposure, governance risk, and HNDL considerations alongside this technical map, run the Blockchain Quantum Exposure Assessment as the paired assessment.

Discuss your results with a QSECDEF expert member. A directional assessment is the starting point, not the programme. If your results show high-priority exposure, the next step is a discussion about a structured migration programme with defined milestones. Request a consultation with our team or find a qualified expert member.