\n
![](\"https:\/\/media.crypto.news\/2025\/09\/crypto-news-Bitcoins-quantum-time-bomb-option04.webp\")
<\/p>\n
\n<\/p>\n
For most of Bitcoin\u2019s history, the threat of quantum computers breaking its cryptography was a distant, theoretical worry, the kind of thing dismissed with \u201cby the time that happens, we will have fixed it.\u201d In 2026, the fixing has begun.<\/p>\n
\n Summary<\/span>\n <\/p>\n <\/p>\n On February 11, 2026, a proposal called BIP-360 was published and merged into Bitcoin\u2019s official repository, introducing the network\u2019s first quantum-resistant address type. Two months later, on April 14, a companion proposal called BIP-361 laid out something far more dramatic: a plan to migrate, and potentially freeze, the roughly 6.5 to 6.9 million Bitcoin, about a third of all supply, that sit in addresses vulnerable to a future quantum attack, including an estimated 1.7 million coins in ancient addresses widely believed to belong to Satoshi Nakamoto. The urgency is new.\u00a0<\/p>\n In early 2026, Google researchers estimated that breaking Bitcoin\u2019s elliptic-curve signatures might require far fewer quantum resources than previously thought, and a researcher claimed a bounty for breaking a small elliptic-curve key on real quantum hardware. Bitcoin is not in danger today, but its developers have decided the clock has started.\u00a0<\/p>\n This piece explains the actual threat, what BIP-360 and BIP-361 do, the fierce debate over how to handle the vulnerable coins, and what it all means for Bitcoin holders.<\/p>\n NEW: Jameson Lopp and Bitcoin developers propose BIP-361, freeze quantum-vulnerable wallets to protect dormant coins like Satoshi\u2019s 1.1m BTC now worth $74b pic.twitter.com\/COLZpHe6tr<\/a><\/p>\n \u2014 crypto.news (@cryptodotnews) April 15, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n To understand the solution, you first have to understand exactly what quantum computers threaten in Bitcoin, because the popular framing is mostly wrong, and the precise version is what the proposals are built around.<\/p>\n The most common misconception is that quantum computers threaten Bitcoin mining. They do not, at least not in any practical timeframe. Bitcoin mining relies on SHA-256 hashing, and attacking SHA-256 with a quantum computer would require something on the order of 10 to the 23rd power qubits and 10 to the 24th power watts of energy, a figure approaching the power output of a star. Mining is, for all realistic purposes, quantum-safe. The threat is somewhere else entirely, and confusing the two leads to misunderstanding the whole issue.<\/p>\n The real vulnerability is in transaction signing, which uses elliptic-curve cryptography, specifically the ECDSA and Schnorr signature schemes built on 256-bit elliptic curves. When you own Bitcoin, your control rests on a private key, from which a public key is derived. The cryptographic guarantee that protects you is that deriving the private key from the public key is computationally impossible for classical computers.\u00a0<\/p>\n A sufficiently powerful quantum computer running Shor\u2019s algorithm could break that guarantee, deriving the private key from an exposed public key and seizing the coins. This is the actual quantum threat to Bitcoin: not breaking the mining, but breaking the signatures that prove ownership.<\/p>\n The critical detail is the word \u201cexposed.\u201d A public key is only vulnerable once it has been revealed on the blockchain, and that happens in specific circumstances: every address that has ever sent a transaction reveals its public key in the spending signature, every ancient Pay-to-Public-Key output from Bitcoin\u2019s earliest years has its public key visible by design, and certain Taproot spends expose keys as well.\u00a0<\/p>\n Project Eleven, a research group focused on the quantum threat, estimates that roughly 6.9 million BTC, about a third of total supply, sit in addresses where the public key is already exposed on-chain. That includes the estimated 1.7 million coins in ancient P2PK addresses, some believed to be Satoshi\u2019s, worth tens of billions of dollars. Those are the coins a future quantum computer could theoretically sweep, and protecting them, or deciding what to do about them, is what the new proposals address.<\/p>\n The question that hangs over everything is \u201cwhen,\u201d and the reason Bitcoin\u2019s developers moved in 2026 rather than continuing to wait is that the timeline appears to be accelerating<\/a>.<\/p>\n JUST IN: CZ says quantum computing may break existing crypto encryption and that Bitcoin may need to fork to quantum-resistant algorithms pic.twitter.com\/RboKjBGTJf<\/a><\/p>\n \u2014 crypto.news (@cryptodotnews) April 10, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n The catalyst was a series of developments in early 2026 that shifted the quantum threat from \u201csomeday\u201d toward \u201cplan for it now.\u201d Google researchers published findings suggesting that breaking 256-bit elliptic-curve cryptography might require fewer than 1,200 logical qubits and under 500,000 physical qubits, with runtimes measured in minutes on a future cryptographically relevant quantum computer.\u00a0<\/p>\n That estimate was substantially lower than earlier projections, which had suggested millions of qubits would be needed, and a lower resource requirement means the threat arrives sooner. The same research noted that Bitcoin\u2019s Taproot upgrade may have inadvertently made quantum attacks easier by exposing public keys more broadly, adding urgency.<\/p>\n The demonstrations made it concrete. In April 2026, a researcher broke a 15-bit elliptic-curve key using publicly accessible quantum hardware, claiming a 1 BTC bounty from Project Eleven\u2019s Q-Day Prize for the largest public demonstration of the attack class that protects Bitcoin wallets.\u00a0<\/p>\n <\/p>\n A 15-bit key is trivially small compared to Bitcoin\u2019s 256-bit keys, and 256-bit ECDSA is nowhere close to falling, but the demonstration represented a 512-fold improvement over a comparable result from September 2025. The trajectory, not the current capability, is what alarmed developers: each advance shrinks the gap between theoretical threat and practical timeline, and the rate of improvement suggested the gap was closing faster than assumed.<\/p>\n The expert warnings added weight. A Nobel Prize-winning physicist warned that Bitcoin could be an early target of quantum computing attacks, and a panel of six cryptographers convened by Coinbase concluded that a cryptographically-relevant quantum computer \u201cwill eventually be built,\u201d and that migration must begin now.\u00a0<\/p>\n The institutional timelines aligned with this: Google set its own post-quantum migration target for 2029, while the US National Institute of Standards and Technology set a broader transition horizon extending to 2035.<\/p>\n The consensus that emerged was not that quantum computers threaten Bitcoin today, but that the migration to quantum resistance takes years, the vulnerable supply is enormous, and starting late could be catastrophic, so the work must begin while there is still time. That consensus is what produced BIP-360 and BIP-361.<\/p>\n BIP-360 is the foundational piece, the proposal that gives Bitcoin a quantum-resistant way to hold coins going forward, and its design reflects a deliberately measured, incremental approach.<\/p>\n The proposal introduces a new output type, variously described as Pay-to-Quantum-Resistant-Hash (P2QRH) or Pay-to-Merkle-Root (P2MR), that works almost exactly like the existing Taproot output type but removes the specific element a quantum computer could exploit.\u00a0<\/p>\n In Taproot, spending can reveal an elliptic-curve public key that a quantum computer could attack; the new output type is built so that spending uses post-quantum signature schemes instead, based on NIST-approved algorithms like ML-DSA. Under the hood, it rides on a new SegWit version, and the new addresses begin with a distinct prefix, \u201cbc1r.\u201d When you spend from one of these outputs, you provide post-quantum signatures rather than the quantum-vulnerable elliptic-curve signature, sealing the coins against the quantum threat.<\/p>\n The design is clever in how it preserves compatibility. Legacy nodes that have not upgraded treat the new outputs as \u201canyone-can-spend,\u201d meaning they will not relay or mine them, while upgraded nodes correctly parse and validate the new format.\u00a0<\/p>\n This allows the upgrade to roll out as a soft fork rather than requiring a disruptive hard fork or a sudden change to block size, the same backward-compatible mechanism by which Bitcoin has deployed previous upgrades like SegWit and Taproot.\u00a0<\/p>\n The measured approach means BIP-360 can be adopted gradually, with users moving to quantum-resistant addresses as they choose, rather than forcing an abrupt network-wide change.<\/p>\n There is a real cost, and it is worth being honest about it. Post-quantum signatures are much larger than the compact elliptic-curve signatures Bitcoin uses today. Some post-quantum schemes, like SLH-DSA, produce signatures up to 8 kilobytes, far larger than current signatures, which means quantum-resistant transactions consume substantially more block space and could drive fees higher unless miners give these signatures some form of witness discount.\u00a0<\/p>\n This is the central engineering trade-off: quantum resistance comes at the price of efficiency, and Bitcoin\u2019s limited block space makes that price meaningful. BIP-360 is therefore a minimal, high-compatibility first step rather than a complete solution, a foundation that protects newly created coins and the coins of those who choose to migrate, while deliberately leaving harder problems, including the larger signature sizes and the question of the existing vulnerable supply, to future work.\u00a0<\/p>\n\n\n
\n\n
The threat, precisely<\/h2>\n
Why now: the accelerating timeline<\/h2>\n
\n\n
What BIP-360 does<\/h2>\n