Bitcoin Core publicly names every cryptographic primitive in active use. Deduction: BIP-360 candidate primitives (ML-DSA / SLH-DSA / FN-DSA) are listed in draft only, not active mainnet primitives.

Every active asymmetric primitive is Shor-vulnerable. The encrypted-transport handshake uses ECDH, so even peer-to-peer link confidentiality has HNDL exposure for any future post-quantum adversary.

Bitcoin currently deploys zero PQ algorithm families on mainnet. BIP-360 proposes lattice (ML-DSA), with FN-DSA and SLH-DSA as secondary candidates, but none are merged into Bitcoin Core. Diversity Cap is not yet triggered because lattice-monoculture has not shipped; if BIP-360 ships ML-DSA without a hash-based fallback, the cap fires.

BIP-360 draft text references ML-DSA (FIPS 204), SLH-DSA (FIPS 205) and FN-DSA candidate parameter sets but does not select a final category for mainnet. No mainnet output uses a NIST PQC parameter set today.

libsecp256k1 has constant-time scalar/point operations, deterministic nonces (RFC 6979), and ongoing fuzzing/Coq-style spec work; one of the most-reviewed ECC libraries in production. Cryptanalytic tier 1 for ECDSA/Schnorr secp256k1 and SHA-256. BIP-324 uses standard ChaCha20-Poly1305 (RFC 8439). No formally-verified PQ implementation has shipped to Bitcoin Core. The BTQ Bitcoin Quantum testnet v0.3.0 ships Dilithium opcodes outside the Core review process, which lowers tier confidence.

Bitcoin's UTXO model exposes pubkeys at varying rates by output type. P2TR (Taproot key-path) outputs publish the 32-byte x-only pubkey directly in the scriptPubKey, these are actively exposed. P2PKH/P2WPKH outputs hash the pubkey; pubkey is revealed only when spent. Address reuse, mempool revelation, and P2PK outputs all lift exposure. Project Eleven estimates ~6.9 million BTC at quantum-vulnerable addresses with public keys visible on-chain (~33% of supply). Of that, ~1.7 million BTC sits in P2PK scripts, including roughly 1 million BTC attributable to ~20,000 Satoshi-era P2PK outputs.

Cold-key exposure is the dominant Bitcoin Forge surface. Project Eleven counts ~1 million BTC concentrated in 11 addresses (Satoshi-era P2PK), plus a long tail of ~20,000 individual P2PK keys totaling ~1.7M BTC. These outputs have had public keys visible on-chain since 2009-2010 and many have not moved for 15+ years, making Y for these holders effectively infinite, they cannot be migrated by their owners. The headline driver of BIP-361 and Hourglass V2 (rate-limit) proposals.

Bitcoin signatures retain validity indefinitely in the UTXO model, there is no expiry. Any output script with an exposed pubkey is forgeable forever post-Shor unless the UTXO is moved to a PQ-safe output type. X = effectively infinite for the cold cohort. Structurally worse than account-based chains where rotated keys can invalidate prior signatures.

BIP-324 uses ECDH-secp256k1 handshake and ChaCha20-Poly1305 AEAD. The handshake is Shor-vulnerable; harvested handshakes and link traffic could be retroactively decrypted. RPC over TLS uses standard classical KEMs unless operators deploy hybrid KEM at the load-balancer layer. No protocol-level PQ KEM is documented for Bitcoin's transport. Mitigating factor: Bitcoin link traffic is largely block/tx propagation already mirrored on-chain in plaintext, so the privacy delta from HNDL is small relative to validator gossip on PoS chains.

Bitcoin is pseudonymous UTXO. Public chain analytics (Chainalysis, Arkham, mempool.space) cluster addresses with high recall. Off-chain mixers (CoinJoin, Wasabi 2.x, JoinMarket) provide partial unlinkability for users who opt in. No protocol-level shielded set.

Bitcoin nodes are widely self-hosted (~20K reachable nodes). Top-3 RPC providers (mempool.space, blockstream.info, self-hosted Electrum servers) less concentrated than EVM RPC. Mempool gossip is observable via any full node. Validator metadata retention does not apply (PoW). Mining pool concentration is high: Foundry USA ~25.6%, AntPool ~19.8%, ViaBTC ~10-11%; combined top-3 ~55%, with a March 2026 reorg event illustrating concentration risk.

WBTC (BitGo custody, Ethereum), tBTC (decentralized, threshold ECDSA), and Lightning Network are the dominant Bitcoin bridges/L2s. WBTC mints/burns are fully traceable through the BitGo merchant flow. tBTC uses a t-ECDSA signing group and is publicly auditable. Lightning provides off-chain unlinkability for routed payments but channel open/close are on-chain.

Shor on secp256k1 exposes pubkeys behind every previously-spent P2PKH/P2WPKH output, plus all P2TR outputs by construction. Address-clustering heuristics already perform near-complete de-anonymization for non-CoinJoin users; PQ does not add catastrophic anonymity loss but removes the small remaining privacy buffer for cold P2PKH addresses.

No protocol-level mixnet. Off-chain CoinJoin coordinators (Wasabi 2.x, JoinMarket) provide opt-in shuffling, wallet-layer only. Samourai Whirlpool was shut down in 2024.

Bitcoin requires a soft fork to introduce new output types or signature schemes. Historical cadence: SegWit (2017, ~2 years to activation), Taproot (2021, ~3 years from BIP-340 to activation). BIP-360 P2MR is structured as a soft fork adding a new SegWit version 2 output type, the canonical agility path. There is no algorithm-switch primitive comparable to EIP-7702.

No account abstraction. UTXO model has no native key rotation, users must spend from old outputs to new addresses, which itself reveals the pubkey at spend time. Client-layer PQ wrappers (e.g., commitment-to-PQ-pubkey schemes proposed in BIP-360 discussions) are spec-only. Migration burden falls entirely on individual UTXO holders.

Strong record of soft-fork upgrades under contested conditions. SegWit 2017 (UASF activation under block-size-war pressure) and Taproot 2021 (Speedy Trial signaling) both shipped without chain split. Block-size war (2015-2017) demonstrated coordination capability under adversarial pressure. Cadence is conservative, typically 2-4 years from BIP draft to activation.

BIP-360 P2MR is hybrid by construction, a new output type alongside existing P2PKH/P2WPKH/P2TR. Old UTXOs remain spendable under classical ECDSA/Schnorr; new UTXOs commit to a Merkle root over PQ pubkeys. The canonical Gate 1a-Sig OR-composition pattern. Gate 1b (commit-to-hash) is satisfied by the Merkle-root commitment. Status: Draft, not active.

BIP-360 candidate primitives are stateless (ML-DSA, SLH-DSA, FN-DSA). No stateful hash scheme (XMSS, LMS) is in scope. Default 15/15 per v3.1 rule.

N/A, Nakamoto PoW, no BLS aggregation in consensus.

Zero PQC primitives on Bitcoin mainnet as of 2026-05-01. BIP-360 is Draft; BIP-361 is Draft (merged into bitcoin/bips 2026-04-15). No mainnet PQ output type. BTQ Bitcoin Quantum testnet v0.3.0 ships Dilithium opcodes but is testnet-only and outside Bitcoin Core.

Zero PQ code merged in Bitcoin Core. External BTQ Bitcoin Quantum client (forked from Core) ships Dilithium opcodes on testnet v0.3.0. Not in mainline.

PoW network, no validator set. Miners run SHA-256d unchanged; their per-block signature is over coinbase transactions using ECDSA secp256k1, not PQ.

VOIDED to 0 per v3.1 (5a=0 forces Milestone-Discipline cap). Bitcoin does have multiple dated artifacts, BIP-360 entered the BIPs repository on 2026-02-11 (Draft); BIP-361 was merged 2026-04-15 with three-phase sunset; BTQ Bitcoin Quantum testnet v0.3.0 March 2026; Hourglass V2 spec on personal GitHub. None are enforcement-mechanism-backed.

Announced PQC artifacts in trailing 12 months: BIP-360, BIP-361, Hourglass V2, BTQ testnet v0.3.0, Project Eleven Q-Day Prize publicity, industry-press Bitcoin PQ commentary, Trezor Safe 7 firmware-signing. Shipped on mainnet: zero. Bitcoin's published artifacts are technically grounded BIPs and explicitly labelled Draft; estimated ratio ~3-4 announced-to-shipped, qualifying for the >1.5 deduction band but below the >5.0 narrative-only tag.

BIP-360 references ML-DSA-44 (~2,420-byte signature, ~1,312-byte pubkey), SLH-DSA-128s (~7,856 bytes), FN-DSA-512 (~666 bytes). Versus current Bitcoin Schnorr 64-byte signature, multipliers fall in the 10-125× range raw bytes. Adjusted to vbytes via SegWit witness discount, BIP-360 estimates ~5-7× block-cost increase per spend for ML-DSA.

Top-3 Bitcoin custody wallets by user volume include Ledger, Trezor, Coinbase Wallet (custodial-adjacent); active hardware-wallet leaders are Trezor, Ledger, Coldcard. Trezor Safe 7 ships SLH-DSA-SHA2-128s in hybrid with Ed25519 for firmware-signing and boot verification, first hardware wallet with shipped PQC for any signing path (firmware, not user transactions). Ledger Donjon published 2026 PQC research analysis but has not announced a product PQC roadmap.

Top-3 Bitcoin bridges: WBTC (BitGo-custodied), tBTC (threshold-ECDSA, Threshold Network), Lightning Network. Zero have published PQC roadmaps. WBTC depends on BitGo. tBTC uses threshold ECDSA, same secp256k1 vulnerability. Lightning channels use ECDSA-secp256k1 commitment transactions and ECDH for onion routing (Sphinx).

Top-3 institutional Bitcoin custodians: Coinbase Custody, BitGo, Fidelity Digital Assets. Fireblocks has publicly committed to publishing a full PQC strategy document later in 2026 covering certificate, TLS, and MPC migration. Coinbase Custody committed in April 2026 to launching quantum-proof institutional custody by late 2026 (not dated more precisely). BitGo and Fidelity have no public PQC migration timetable.

Bitcoin RPC concentration is low (self-hosted majority, mempool.space, Blockstream Esplora). Of HSM vendors holding institutional Bitcoin keys (Thales Luna, AWS CloudHSM, YubiHSM, Ledger Vault), AWS KMS published a PQC hybrid TLS pilot for KMS endpoints in 2024-2025; broader signing-path PQC is research only. TEE attestation (Intel SGX/TDX, AMD SEV-SNP, AWS Nitro) remains classical for attestation-key signing.

Mining pool concentration is real: Foundry USA ~25.6% + AntPool ~19.8% combined ~45%, top-3 with ViaBTC ~55-56%. Nakamoto coefficient for mining ≈ 3. Reachable node count ~20K; node software diversity is dominated by Bitcoin Core with minor Bitcoin Knots and btcd presence. March 2026 saw a 2-block reorg from Foundry, concentration is no longer hypothetical.

SegWit 2017 (UASF), Taproot 2021 (Speedy Trial). Both successful. Cadence is slow but the network has shipped consensus-level upgrades under contested conditions. BIP-360 / BIP-361 are early in this cycle. BIP-360 co-author estimate: 7-year migration window from spec to activation.

No formal foundation. Bitcoin Core maintainers operate under rough-consensus model. BIP authorship is distributed: BIP-360, BIP-361. No named coordination lead with mandate to ship PQ across the ecosystem. Coinbase CEO Brian Armstrong announced in April 2026 a coalition to coordinate Bitcoin PQ migration, early stage.

Block size wars 2015-2017, UASF, SegWit activation under fork-threat conditions. Strong precedent for rough-consensus coordination under economic and political pressure.

Hourglass V2 (Hunter Beast / cryptoquick) is a rate-limited spending rule canary, proposed at consensus level, ≤1 BTC/block from P2PK outputs (~144 BTC/day, vs unconstrained ~6,000+ P2PK transactions per block). Status: spec only on personal BIPs branch, not in bitcoin/bips. Project Eleven Q-Day Prize functions as a community honeypot signal, awarding 1 BTC for documented quantum attacks on ECC of progressively larger key sizes (15-bit broken April 2026, since disputed).