Glassnode Flags 1.92M BTC Quantum-Exposed as France Sets 2027 Crypto Security Deadline

In today’s Bitcoin news, France’s cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) announced at the France Quantum conference that it will stop certifying any security products lacking quantum-resistant encryption beginning in 2027, with a full transition required by 2030 for government agencies and critical infrastructure operators. The move comes alongside Glassnode’s May 2026 report, which estimates that 6.04 million BTC—about 30.2% of total supply—has publicly visible keys on-chain.

The policy marks one of the clearest government-defined timelines yet for transitioning away from classical cryptographic standards, arriving as researchers increasingly assess how vulnerable Bitcoin could become in a future quantum computing scenario.

Glassnode: How 6.04 Million BTC Is Exposed

Glassnode splits the exposed supply into two main groups. The first is 1.92 million BTC (around 9.6%), classified as structurally exposed. These coins include outputs where public keys are inherently revealed, such as early P2PK transactions, legacy multisig formats, and Taproot (P2TR) outputs.

The second group is 4.12 million BTC (about 20.6%), labeled operationally exposed. This includes coins whose public keys became visible due to address reuse, partial spending behavior, or custodial wallet practices.

The report emphasizes that current wallet behavior is a major driver of exposure. Centralized exchanges account for roughly 1.63–1.66 million BTC within the operational exposure category. By contrast, sovereign holdings from the U.S., U.K., and El Salvador reportedly show no quantum exposure due to non-revealing address structures. The remaining 13.99 million BTC (about 69.8%) is considered unexposed under Glassnode’s framework.

The core risk stems from Bitcoin’s use of ECDSA (Elliptic Curve Digital Signature Algorithm) over the secp256k1 curve. In theory, a sufficiently powerful quantum computer running Shor’s algorithm could derive private keys from exposed public keys, making already-revealed funds vulnerable once “Q-Day” arrives. Outputs based on hashed public keys, such as P2PKH, remain protected until spent.

France and the Shift to Post-Quantum Cryptography

At the France Quantum conference, ANSSI Chief of Staff Samih Souissi framed the transition as a broader issue of governance and sovereignty, not just technical migration.

The agency’s roadmap requires organizations to inventory sensitive systems by end-2026, map dependencies by end-2027, and fully migrate to post-quantum cryptography (PQC) by 2030.

This aligns with global timelines. Google has targeted 2029 for internal PQC migration, while quantum security firm Project Eleven estimates a cryptographically relevant quantum computer could emerge around 2030.

NIST has also outlined plans to phase out classical public-key cryptography, including RSA and ECC, by roughly 2030–2035, with major technology firms already adapting their infrastructure roadmaps.

Academic research presented at DEF CON 33 suggests that as few as 1,754 logical qubits could theoretically threaten secp256k1 under optimistic assumptions, though most experts still expect real-world risk to remain 10–20 years away.

Earlier studies vary widely. Deloitte has estimated up to 4 million BTC may be exposed under broader definitions, while Chaincode Labs places the range between 4 million and 10 million BTC. Glassnode’s 6.04 million figure falls within this spectrum but applies more specific classification rules.