France is moving to phase out encryption that cannot withstand a quantum computer, a step reported by Decrypt on June 18, 2026, and it has pulled an old debate back to the surface: how exposed is Bitcoin when classical public-key cryptography stops being good enough?
The policy direction itself is not a surprise. France's cybersecurity agency, ANSSI, has spent years pressing public and private operators to begin a hybrid transition toward post-quantum algorithms, pairing today's schemes with newer ones designed to survive a quantum attack. The United States went through its own version of this when NIST finalized its first post-quantum standards in 2024. Treating non-quantum encryption as something to retire on a schedule, rather than someday, is the part that reads as new.
The threat model Bitcoin actually faces
Bitcoin leans on two pieces of cryptography. Transactions are signed with ECDSA over the secp256k1 curve, and the network's mining and hashing run on SHA-256. These are not equally exposed.
The signature scheme is the soft spot. A sufficiently large, error-corrected quantum computer running Shor's algorithm could in theory derive a private key from its corresponding public key. SHA-256 is more durable. Grover's algorithm weakens it, but only by roughly halving its effective strength, which a longer hash or modest parameter changes can absorb. So the realistic concern is not that Bitcoin's mining breaks. It is that the keys protecting balances could.
That distinction matters because of how Bitcoin addresses work. A public key only becomes visible on-chain once an address sends funds. Coins held at a fresh address that has never spent are shielded behind a hashed commitment, which buys an extra layer of protection. The coins most at risk are those sitting at addresses whose public keys are already exposed, including very old pay-to-public-key outputs and any address that has been reused after spending.
No imminent break, but a real clock
Nothing here is an emergency. No quantum machine that exists today can threaten secp256k1, and credible estimates for when one might still run from years to more than a decade. The reason a government move still matters is that migrating cryptography across an entire financial and payments system is slow, and the people defending long-lived assets have to start before the threat is live, not after.
For anyone holding crypto, the same logic scales down. The cautious habits are unglamorous and already available: avoid reusing addresses, move balances out of legacy exposed-key addresses, and keep funds at modern address types. None of this requires a new protocol. It is hygiene that limits how much sits behind a public key that an attacker could one day target.
The harder question is what happens to the coins that cannot move. Satoshi-era holdings and lost-key wallets are, by definition, parked at addresses no one can update. A future quantum capability would not respect the fact that those coins are someone's intended legacy. That is the uncomfortable edge of the debate, and it is why "wait until it's a problem" is not a satisfying answer for a fixed-supply asset.
Cards and custody sit on different sides of the migration
A French encryption policy does not change anyone's spending today, but it sketches the migration that wallets and card issuers will eventually run. Every crypto card that authorizes a payment is, underneath, signing or moving value tied to elliptic-curve keys somewhere in the stack.
The split runs along custody. With self-custody setups and hardware signers, the responsibility for adopting quantum-resistant keys lands on the user and the wallet maker. Ledger, the Paris-based hardware wallet company behind the Ledger crypto card, is one of several firms that will have to ship signing schemes aligned with whatever standard wins, the kind of slow firmware-and-standards work that a national policy like France's is meant to force onto a timeline. With a custodial issuer, the provider holds the keys and inherits the migration for the balances it controls, which concentrates the risk but also concentrates who has to fix it. Neither model is automatically safer here. They simply move the burden to different parties.
For users, the practical read is narrow. This does not change which card to hold or how to spend in France or anywhere else. It is a signal that the cryptography under every crypto payment has a long migration ahead, and that governments are starting to treat the deadline as real rather than theoretical.
Overview
France is moving to phase out non-quantum encryption, reviving questions about Bitcoin's reliance on ECDSA signatures. SHA-256 mining is relatively durable; the exposure is concentrated in coins at addresses with already-visible public keys. No quantum machine threatens Bitcoin today, and credible timelines run years out, but migrating cryptography is slow, which is why a government setting a schedule matters now. The practical takeaway for holders is address hygiene, not panic. Bitcoin traded near $64,700 as of June 18, 2026, with the Fear & Greed Index at 22, in "Fear."
