For most of Bitcoin’s history, the threat of quantum computers breaking its cryptography was a distant, theoretical worry, the kind of thing dismissed with “by the time that happens, we will have fixed it.” In 2026, the fixing has begun.
Summary
- Bitcoin developers introduced BIP 360, the network’s first quantum-resistant address proposal, as part of a long-term plan to protect funds from future quantum computing threats.
- A companion proposal, BIP 361, would require vulnerable coins to move to new addresses and could permanently freeze inactive holdings, including coins widely believed to belong to Satoshi Nakamoto.
- The proposals have opened a debate over whether protecting Bitcoin from future quantum attacks justifies restricting access to lost or dormant coins.
On February 11, 2026, a proposal called BIP-360 was published and merged into Bitcoin’s official repository, introducing the network’s first quantum-resistant address type. Two months later, on April 14, a companion proposal called BIP-361 laid out something far more dramatic: a plan to migrate, and potentially freeze, the roughly 6.5 to 6.9 million Bitcoin, about a third of all supply, that sit in addresses vulnerable to a future quantum attack, including an estimated 1.7 million coins in ancient addresses widely believed to belong to Satoshi Nakamoto. The urgency is new.
In early 2026, Google researchers estimated that breaking Bitcoin’s elliptic-curve signatures might require far fewer quantum resources than previously thought, and a researcher claimed a bounty for breaking a small elliptic-curve key on real quantum hardware. Bitcoin is not in danger today, but its developers have decided the clock has started.
This piece explains the actual threat, what BIP-360 and BIP-361 do, the fierce debate over how to handle the vulnerable coins, and what it all means for Bitcoin holders.
The threat, precisely
To understand the solution, you first have to understand exactly what quantum computers threaten in Bitcoin, because the popular framing is mostly wrong, and the precise version is what the proposals are built around.
The most common misconception is that quantum computers threaten Bitcoin mining. They do not, at least not in any practical timeframe. Bitcoin mining relies on SHA-256 hashing, and attacking SHA-256 with a quantum computer would require something on the order of 10 to the 23rd power qubits and 10 to the 24th power watts of energy, a figure approaching the power output of a star. Mining is, for all realistic purposes, quantum-safe. The threat is somewhere else entirely, and confusing the two leads to misunderstanding the whole issue.
The real vulnerability is in transaction signing, which uses elliptic-curve cryptography, specifically the ECDSA and Schnorr signature schemes built on 256-bit elliptic curves. When you own Bitcoin, your control rests on a private key, from which a public key is derived. The cryptographic guarantee that protects you is that deriving the private key from the public key is computationally impossible for classical computers.
A sufficiently powerful quantum computer running Shor’s algorithm could break that guarantee, deriving the private key from an exposed public key and seizing the coins. This is the actual quantum threat to Bitcoin: not breaking the mining, but breaking the signatures that prove ownership.
The critical detail is the word “exposed.” A public key is only vulnerable once it has been revealed on the blockchain, and that happens in specific circumstances: every address that has ever sent a transaction reveals its public key in the spending signature, every ancient Pay-to-Public-Key output from Bitcoin’s earliest years has its public key visible by design, and certain Taproot spends expose keys as well.
Project Eleven, a research group focused on the quantum threat, estimates that roughly 6.9 million BTC, about a third of total supply, sit in addresses where the public key is already exposed on-chain. That includes the estimated 1.7 million coins in ancient P2PK addresses, some believed to be Satoshi’s, worth tens of billions of dollars. Those are the coins a future quantum computer could theoretically sweep, and protecting them, or deciding what to do about them, is what the new proposals address.
Why now: the accelerating timeline
The question that hangs over everything is “when,” and the reason Bitcoin’s developers moved in 2026 rather than continuing to wait is that the timeline appears to be accelerating.
The catalyst was a series of developments in early 2026 that shifted the quantum threat from “someday” toward “plan for it now.” Google researchers published findings suggesting that breaking 256-bit elliptic-curve cryptography might require fewer than 1,200 logical qubits and under 500,000 physical qubits, with runtimes measured in minutes on a future cryptographically relevant quantum computer.
That estimate was substantially lower than earlier projections, which had suggested millions of qubits would be needed, and a lower resource requirement means the threat arrives sooner. The same research noted that Bitcoin’s Taproot upgrade may have inadvertently made quantum attacks easier by exposing public keys more broadly, adding urgency.
The demonstrations made it concrete. In April 2026, a researcher broke a 15-bit elliptic-curve key using publicly accessible quantum hardware, claiming a 1 BTC bounty from Project Eleven’s Q-Day Prize for the largest public demonstration of the attack class that protects Bitcoin wallets.
A 15-bit key is trivially small compared to Bitcoin’s 256-bit keys, and 256-bit ECDSA is nowhere close to falling, but the demonstration represented a 512-fold improvement over a comparable result from September 2025. The trajectory, not the current capability, is what alarmed developers: each advance shrinks the gap between theoretical threat and practical timeline, and the rate of improvement suggested the gap was closing faster than assumed.
The expert warnings added weight. A Nobel Prize-winning physicist warned that Bitcoin could be an early target of quantum computing attacks, and a panel of six cryptographers convened by Coinbase concluded that a cryptographically-relevant quantum computer “will eventually be built,” and that migration must begin now.
The institutional timelines aligned with this: Google set its own post-quantum migration target for 2029, while the US National Institute of Standards and Technology set a broader transition horizon extending to 2035.
The consensus that emerged was not that quantum computers threaten Bitcoin today, but that the migration to quantum resistance takes years, the vulnerable supply is enormous, and starting late could be catastrophic, so the work must begin while there is still time. That consensus is what produced BIP-360 and BIP-361.
What BIP-360 does
BIP-360 is the foundational piece, the proposal that gives Bitcoin a quantum-resistant way to hold coins going forward, and its design reflects a deliberately measured, incremental approach.
The proposal introduces a new output type, variously described as Pay-to-Quantum-Resistant-Hash (P2QRH) or Pay-to-Merkle-Root (P2MR), that works almost exactly like the existing Taproot output type but removes the specific element a quantum computer could exploit.
In Taproot, spending can reveal an elliptic-curve public key that a quantum computer could attack; the new output type is built so that spending uses post-quantum signature schemes instead, based on NIST-approved algorithms like ML-DSA. Under the hood, it rides on a new SegWit version, and the new addresses begin with a distinct prefix, “bc1r.” When you spend from one of these outputs, you provide post-quantum signatures rather than the quantum-vulnerable elliptic-curve signature, sealing the coins against the quantum threat.
The design is clever in how it preserves compatibility. Legacy nodes that have not upgraded treat the new outputs as “anyone-can-spend,” meaning they will not relay or mine them, while upgraded nodes correctly parse and validate the new format.
This allows the upgrade to roll out as a soft fork rather than requiring a disruptive hard fork or a sudden change to block size, the same backward-compatible mechanism by which Bitcoin has deployed previous upgrades like SegWit and Taproot.
The measured approach means BIP-360 can be adopted gradually, with users moving to quantum-resistant addresses as they choose, rather than forcing an abrupt network-wide change.
There is a real cost, and it is worth being honest about it. Post-quantum signatures are much larger than the compact elliptic-curve signatures Bitcoin uses today. Some post-quantum schemes, like SLH-DSA, produce signatures up to 8 kilobytes, far larger than current signatures, which means quantum-resistant transactions consume substantially more block space and could drive fees higher unless miners give these signatures some form of witness discount.
This is the central engineering trade-off: quantum resistance comes at the price of efficiency, and Bitcoin’s limited block space makes that price meaningful. BIP-360 is therefore a minimal, high-compatibility first step rather than a complete solution, a foundation that protects newly created coins and the coins of those who choose to migrate, while deliberately leaving harder problems, including the larger signature sizes and the question of the existing vulnerable supply, to future work.
It puts quantum resistance on Bitcoin’s roadmap for the first time, which is its real significance, even though it does not by itself solve the whole problem.
The hard part: BIP-361 and the vulnerable coins
BIP-360 protects coins going forward, but it leaves untouched the roughly one-third of all Bitcoin already sitting in quantum-vulnerable addresses. BIP-361 is the far more contentious attempt to address that legacy supply, and it forces a genuine philosophical crisis.
BIP-361, formally titled “Post Quantum Migration and Legacy Signature Sunset,” published April 14, 2026, proposes a mechanism to handle the exposed coins. The core idea is to set a deadline by which holders of vulnerable coins must migrate them to quantum-resistant addresses, after which the network would stop honoring spends from the old, quantum-vulnerable signature types, effectively sunsetting them. The intent is protective: by forcing migration before a quantum computer exists, the network prevents a future attacker from sweeping the exposed coins, because those coins would already have moved to safety or been rendered unspendable through the old vulnerable path.
The agonizing problem is the coins that cannot migrate. An estimated 1.7 million BTC sit in ancient addresses, including roughly a million believed to be Satoshi Nakamoto’s, whose owners are lost, dead, or permanently absent. These coins cannot be moved to quantum-resistant addresses because no one with the keys is around to move them. If BIP-361’s signature sunset takes effect, these coins would be frozen, rendered permanently unspendable, to prevent a future quantum attacker from stealing them. This is the crux of the entire debate, and it pits two Bitcoin principles directly against each other. On one side is the principle that Bitcoin is immutable and that no one’s coins should ever be frozen or confiscated, a foundational tenet of the network’s credibility. On the other side is the argument that allowing a quantum attacker to steal 6.9 million BTC, dumping them on the market and shattering confidence, would be far more destructive, and that freezing lost coins to prevent theft is the lesser evil.
The proposal authors lean on Satoshi Nakamoto’s own words to argue their case, and the debate is wholly unresolved. Freezing coins, even to protect them, violates the property-rights absolutism that many Bitcoiners hold sacred, and critics argue that the precedent of the network deciding to render coins unspendable is more dangerous than the quantum threat itself. Supporters counter that doing nothing guarantees those coins will eventually be stolen by a quantum attacker, which is its own form of loss, and a more chaotic one. There is no clean answer, which is why BIP-361 is far more contested than BIP-360, and why the question of what to do about the vulnerable legacy supply, especially Satoshi’s coins, may be the most philosophically fraught decision in Bitcoin’s history.
The debate over how to do it
Beyond the freeze question, there is an active technical debate about the best approach to quantum resistance, and it reflects genuine disagreement among serious Bitcoin developers about the right path.
BIP-360’s approach of introducing a new output type is one option, but not the only one. A widely discussed alternative is to keep Taproot’s existing structure and add a hidden post-quantum fallback spend path, rather than replacing Taproot outputs with a new type. Project Eleven described this as a “just-in-time” upgrade that preserves Taproot’s current efficiency and privacy until a quantum-safe branch is actually needed, only activating the post-quantum protection when the threat becomes real.
BitMEX Research outlined a similar direction in early 2026, arguing for a quantum-safe version of Taproot where the same outputs could be spent through either a quantum-safe path or a classical path. The appeal of this approach is that it preserves compatibility and efficiency longer, avoiding the immediate block-space costs of mandatory post-quantum signatures.
A third approach is to upgrade Bitcoin’s signature schemes directly, using hash-based schemes such as SPHINCS+ or SLH-DSA, rather than introducing a new output type first. Bitcoin Optech’s research on quantum resistance highlights ongoing work on optimizing these signature schemes, Winternitz-style prototypes, and broader research into making post-quantum signatures practical for Bitcoin’s constraints.
The challenge here is the size problem: hash-based post-quantum signatures are large, and making them efficient enough for Bitcoin’s limited block space is an unsolved engineering problem that this approach would have to crack.
The existence of multiple competing approaches is itself significant, because it means Bitcoin’s quantum defense is still being designed rather than settled. The debate spans several layers: proactive output designs like BIP-360’s new address type, broader post-quantum signature upgrades, and the more forceful options in BIP-361 like migration deadlines and freezing exposed coins.
Bitcoin’s governance, which requires rough consensus among developers, miners, and users for any change, means these competing proposals will be debated, refined, and tested over an extended period before anything is finalized. This is both a strength and a frustration: it ensures that such a consequential change gets thorough scrutiny, but it also means Bitcoin’s quantum migration will be slow and contentious, unfolding over years rather than arriving as a single decisive upgrade. The proposals on the table today are the opening moves in a long process, not the final answer.
How Bitcoin compares to other chains
Bitcoin is not alone in confronting the quantum threat, and seeing how other major networks are approaching it puts Bitcoin’s measured, contentious process in useful context.
Ethereum has taken a more aggressive and centralized planning approach. Vitalik Buterin published a quantum-resistance roadmap, sometimes called the “Strawmap,” targeting quantum resistance across multiple layers of the network: consensus, accounts, data availability, and zero-knowledge proofs. Ethereum’s planned forks for 2026 incorporate elements of this preparation, and the network’s more flexible governance and willingness to make sweeping protocol changes mean it can, in principle, move faster than Bitcoin toward comprehensive quantum resistance.
The trade-off is that Ethereum’s faster, more centralized planning sacrifices some of the conservatism that Bitcoin’s slower, consensus-bound process preserves. Where Bitcoin debates fiercely over whether to freeze coins, Ethereum’s culture of regular, ambitious upgrades makes the path smoother but likely less battle-tested.
Ripple’s XRP Ledger has been one of the most concrete movers, with a four-phase plan targeting quantum resistance by 2028. Ripple has already been running NIST-approved post-quantum signature schemes on its test network and partnered with the same research group, Project Eleven, that has been central to Bitcoin’s quantum discussions, for validator testing. Hedera takes a different approach entirely, already using hash-based cryptography that is inherently more quantum-resistant than elliptic-curve schemes, which gives it a structural head start.
These varied approaches reflect the different architectures and governance models of each network, with some able to move quickly through centralized coordination and others, like Bitcoin, requiring slow consensus.
The comparison illuminates Bitcoin’s particular challenge. Bitcoin’s quantum migration is harder than most networks’ for two structural reasons: its enormous exposed legacy supply, including Satoshi’s coins, has no equivalent on younger chains, and its consensus-driven governance makes sweeping changes slow and contentious in a way that more centrally coordinated networks avoid.
What looks like Bitcoin moving slowly is partly Bitcoin facing a harder version of the problem, with more at stake and a higher bar for change. The networks that can quantum-proof themselves quickly are generally younger, more centralized, or architecturally simpler, while Bitcoin’s combination of massive vulnerable supply, sacred immutability principles, and decentralized governance makes its path the most fraught.
That Bitcoin is addressing the threat at all, despite these obstacles, is notable, but holders should expect its migration to be slower and more debated than the comparisons to faster-moving chains might suggest is necessary.
What it means for Bitcoin holders
Cutting through the technical complexity, the practical implications for ordinary Bitcoin holders are more reassuring than the alarming headlines suggest, but they are not nothing.
The first and most important point is that there is no immediate danger. No quantum computer capable of breaking Bitcoin’s cryptography exists today, and by expert estimates the threat is years away, with migration targets stretching from 2029 to 2035. A holder does not need to do anything urgent, and the proposals being debated are precautionary measures taken while there is ample time, not emergency responses to an active attack.
The fact that Bitcoin’s developers are addressing the quantum threat years before it materializes is a sign of the network’s health and foresight, not a reason for panic. The alarming framing of “Bitcoin going quantum-proof” can read as though Bitcoin is under threat now; it is not.
The second point is that holders can already take a simple protective step, and it costs nothing to understand. The vulnerability applies only to addresses whose public keys are exposed, primarily addresses that have already sent a transaction or ancient P2PK addresses.
Coins held in modern address types that have never been spent from have their public keys hidden behind a hash, which provides a layer of protection because the public key is only revealed when the coins are spent.
When quantum-resistant addresses become widely available through BIP-360’s deployment, holders will be able to migrate their coins to the new “bc1r” address type for full protection. The practical guidance is to be aware of the migration when it arrives and to plan to move coins to quantum-resistant addresses in due course, well before any quantum threat becomes real.
The deeper significance is what this episode reveals about Bitcoin’s adaptability, which is the real story beneath the quantum specifics. Bitcoin is often criticized as slow-moving and resistant to change, and that conservatism is real. But the quantum response shows the system working as intended: developers identified a long-term threat, proposed concrete solutions years in advance, and began the deliberate, consensus-driven process of addressing it.
The most contentious question, what to do about the lost and vulnerable coins, including Satoshi’s, remains unresolved and may prove to be one of the hardest decisions Bitcoin ever makes, because it pits the network’s immutability against its security. How Bitcoin resolves that tension, whether it chooses to freeze vulnerable coins to protect them or upholds absolute immutability and accepts the risk, will say something profound about what Bitcoin values most.
For now, the takeaway for holders is calm awareness: the threat is real but distant, the response has begun, no urgent action is required, and the hardest choices are still ahead. Bitcoin is going quantum-proof, slowly, deliberately, and with a fierce debate about its own principles along the way.
This article is for informational purposes and does not constitute financial or investment advice. Cryptocurrency markets are highly volatile. The figures and analysis described reflect data available as of June 2026. Always do your own research and consult with qualified professionals before making decisions.
Be the first to comment