Bitcoin is going quantum‑proof. Inside BIP‑360, BIP‑361 and the coming migration.
For over a decade, quantum computing was treated in Bitcoin circles as a far‑off science‑fiction risk: something to worry about “one day,” after more immediate problems were solved. The implicit assumption was always the same: by the time quantum machines are powerful enough to matter, we will have upgraded the protocol.
In 2026, that upgrade path stopped being theoretical.
On February 11, 2026, Bitcoin developers merged BIP‑360 into the reference implementation, defining the network’s first quantum‑resistant address type. Two months later, on April 14, a companion proposal, BIP‑361, landed with a far more controversial idea: a process to migrate – and, in certain edge cases, potentially freeze – an estimated 6.5 to 6.9 million BTC whose public keys are already exposed on‑chain and therefore vulnerable to a sufficiently powerful quantum attack. That set includes roughly 1.7 million “ancient” coins, many of which are widely believed to belong to Satoshi Nakamoto.
What changed is not that quantum computers have suddenly become capable of stealing Bitcoin today. They have not. What changed is the perceived timeline. In early 2026, a series of technical results suggested that breaking Bitcoin’s elliptic‑curve signatures may require dramatically fewer quantum resources than older estimates implied. Around the same time, a research team successfully used real quantum hardware to crack a small elliptic‑curve key and claimed a standing bounty. None of this places Bitcoin at immediate risk, but it has convinced core developers that the countdown has begun.
This article unpacks the nature of the threat, explains what BIP‑360 and BIP‑361 actually propose, explores the fierce arguments over how to handle dormant and vulnerable coins, and looks at what all of this means for ordinary Bitcoin holders.
—
The quantum threat: not where most people think
The first step is clearing up a common misconception: quantum computers do not primarily threaten Bitcoin mining.
Bitcoin mining relies on SHA‑256 hashing. While quantum algorithms like Grover’s can speed up brute‑force search, turning that into a practical attack on SHA‑256 at Bitcoin’s difficulty levels would require an astronomically large and stable quantum computer. Some estimates put the requirement in the range of 10²³ logical qubits and power consumption approaching that of a star. In any remotely realistic time horizon, Bitcoin’s proof‑of‑work remains effectively quantum‑safe.
The real weak point lies somewhere else entirely: in transaction signatures.
When you hold Bitcoin, you control it through a private key. From that key, a public key is derived. Bitcoin uses elliptic‑curve cryptography (ECC) – specifically ECDSA and, more recently, Schnorr signatures over 256‑bit elliptic curves – to prove that a transaction was authorized by the holder of the corresponding private key. Today, the security guarantee is simple: for classical computers, deriving the private key from the public key is computationally infeasible.
A large, fault‑tolerant quantum computer running Shor’s algorithm changes that equation. Shor’s algorithm can solve the discrete logarithm problem that underpins ECC. In plain language: if a public key is visible, a powerful enough quantum computer could, in principle, compute the associated private key and sign transactions to steal the coins.
That is the actual quantum threat to Bitcoin: not disrupting block production, but undermining the cryptographic proof of ownership.
—
Why “exposed public keys” matter
A crucial nuance is that not every Bitcoin address is equally vulnerable. A public key only becomes a target once it has been revealed on‑chain.
This happens in a few specific ways:
– Spent outputs from standard addresses
Modern Pay‑to‑Public‑Key‑Hash (P2PKH) addresses – the classic “1…” or “3…” addresses, and their newer Bech32 variants – do not expose the public key until the coins are spent. When you finally move funds out, your transaction includes a signature and the corresponding public key. From that point on, the key is visible to everyone, including a future quantum adversary.
– Ancient Pay‑to‑Public‑Key (P2PK) outputs
In Bitcoin’s earliest years, many coins were held in P2PK outputs where the public key was embedded directly in the output script. These keys have been visible on‑chain from day one, regardless of whether the coins were moved. This design, harmless at the time, is now a glaring quantum liability.
– Certain Taproot and script spends
While Taproot was designed with privacy and efficiency in mind, some spending conditions – especially those that reveal internal keys or full scripts – can also expose public keys when they are used.
Project Eleven, a research group that specializes in quantum risks to cryptocurrencies, estimates that about 6.9 million BTC – roughly one‑third of all existing coins – currently sit in outputs where the public key is already known. This includes the large trove of early P2PK outputs widely believed to include Satoshi Nakamoto’s holdings, worth tens of billions of dollars.
Those coins form the primary attack surface for any future quantum‑capable adversary: they are visible targets that do not require the owner to take any new action to become vulnerable. That is precisely the population BIP‑360 and BIP‑361 are designed to address.
—
Why now? The accelerating timeline
For years, most technical assessments placed the arrival of a Bitcoin‑threatening quantum computer several decades away. That narrative began to shift in early 2026.
A team of researchers at a major technology company published refined estimates for attacking 256‑bit elliptic‑curve cryptography with Shor’s algorithm. Their work suggested that with improved error‑correction schemes and circuit optimizations, the number of logical qubits and the gate depth required might be significantly lower than previously assumed. Although still far beyond current hardware, the gap no longer feels infinite.
Around the same time, a cryptographer successfully used a real, noisy quantum device to break a deliberately shrunken elliptic‑curve key and claimed a long‑standing reward for doing so. While the demonstration used toy‑sized parameters that bear little resemblance to Bitcoin’s 256‑bit curves, it was a concrete proof that the full attack pipeline – from key selection to quantum computation to key recovery – is workable in principle.
Industry figures began voicing concerns in public interviews and conference talks, warning that quantum advances might outpace conservative forecasts. The message resonated inside the Bitcoin development community: even if the risk curve is uncertain, waiting until the danger is obvious would be reckless, because a successful quantum attack would be instantaneous and irreversible.
The consensus that emerged is pragmatic: Bitcoin is not under imminent quantum attack, but it is time to start the migration. That is what BIP‑360 sets in motion.
—
BIP‑360: introducing quantum‑resistant Bitcoin addresses
BIP‑360 is the less controversial of the two new proposals, but also the most foundational. Its goal is straightforward: define a new address type that uses post‑quantum cryptography instead of elliptic curves.
In practice, this means:
– A new script template and address format dedicated to quantum‑resistant keys.
– Integration of a post‑quantum signature scheme – typically based on lattice problems or hash‑based constructions – whose security is believed to hold even in the presence of large quantum computers.
– Compatibility with existing wallets and nodes, so that older software can still recognize, relay, and validate transactions using the new address type once they are aware of the upgrade.
Because post‑quantum schemes tend to have much larger public keys and signatures than ECC, BIP‑360 is carefully engineered to avoid blowing up transaction sizes more than necessary. It also allows for future agility: if cryptographic research later identifies a superior post‑quantum algorithm, Bitcoin can introduce an additional address type without discarding the first one.
Crucially, BIP‑360 by itself does not touch existing coins. It simply provides a safe destination: a place where funds can be moved today or in the future to escape quantum‑vulnerable elliptic‑curve signatures.
—
BIP‑361: the hard part – migrating, and maybe freezing, vulnerable coins
If BIP‑360 is the “new safe harbor,” BIP‑361 is the controversial evacuation plan.
Its core objective is to define a systematic way to protect coins whose public keys are already exposed, particularly those in ancient P2PK outputs and long‑dormant addresses. These outputs cannot be made “un‑exposed”; their keys are already on the blockchain. The only way to protect them from a quantum‑equipped thief is to move them to a quantum‑resistant address before that thief exists.
BIP‑361 lays out a few key ideas:
1. A migration window
For a defined period – potentially several years – owners of exposed‑key outputs are encouraged (and technically enabled) to move their coins into BIP‑360 quantum‑resistant addresses. Tools, wallet upgrades, and educational campaigns are expected to support this process.
2. Special handling of long‑dormant coins
Many of the largest vulnerable balances have not moved for a decade or more. Some likely belong to people who lost their keys; others may be intentionally dormant. BIP‑361 sketches mechanisms to treat such coins differently after the migration window closes, to prevent them from being easy pickings for a quantum thief.
3. Potential freezing of unclaimed exposed outputs
The most contentious aspect is the possibility that, after ample warning and time to act, remaining exposed outputs could be “frozen” – meaning they could no longer be spent with their old elliptic‑curve keys, but only via a new post‑quantum path. In extreme designs, if the owners do not prove control using the new scheme within a further grace period, the outputs might become permanently unspendable or subject to a protocol‑defined recovery process.
Because this logic would directly affect an enormous pool of coins, including those believed to be Satoshi’s, BIP‑361 has triggered intense debate in the Bitcoin ecosystem.
—
The debate: property rights, immutability, and Satoshi’s coins
At the heart of the BIP‑361 controversy is a philosophical collision: Bitcoin was designed as a system where “rules are rules,” and coins are spendable forever as long as you hold the right key. Introducing any special treatment for certain outputs – even in the name of protection – feels to many like a dangerous precedent.
Critics raise several objections:
– Immutability concerns
Freezing or altering the spend conditions of long‑dormant outputs looks, to some, like rewriting history. If the network can do that once, what stops it from doing so again for other reasons?
– Property rights and consent
Owners of vulnerable coins never agreed to additional migration requirements when they received their BTC. Forcing them to move or lose access, even over a long time frame, could be interpreted as violating core principles of self‑custody.
– Satoshi’s holdings as a symbol
The estimated 1.7 million coins believed to belong to Satoshi Nakamoto have never moved. Any change that affects those outputs is emotionally and politically charged. Some argue that even protecting them without explicit consent is inappropriate; others counter that letting them be stolen by the first quantum attacker would be even more damaging to Bitcoin’s legitimacy.
Supporters of BIP‑361 respond that doing nothing is not neutral:
– If the protocol refuses to adapt, a sophisticated attacker with a quantum computer could one day sweep millions of BTC from exposed keys in hours, catastrophically undermining trust and possibly crashing the market.
– Honest, long‑term holders who cannot monitor the network constantly would be at a severe disadvantage relative to early attackers.
– A well‑signaled, multi‑year migration plan respects property rights more than silently allowing a scenario where inattentive or non‑technical owners are robbed en masse.
Importantly, BIP‑361 is still a proposal. The exact rules for freezing, recovery, or alternative spending paths are under active discussion, and any final design will need broad ecosystem consensus to avoid splitting the network.
—
How Bitcoin’s approach compares to other blockchains
Bitcoin is not the only system facing the quantum question, but its approach is distinctive.
Many newer chains have tried to bake in “crypto agility” from the start, with modular signature schemes that can, in theory, be swapped out more easily. Some projects have already introduced optional post‑quantum address types or hybrid signatures that require both a classical and a post‑quantum key for spending.
However, Bitcoin’s scale, conservatism, and market importance make its transition uniquely delicate:
– Conservatism as a feature
Bitcoin changes slowly and cautiously; its security depends on predictability. BIP‑360 and BIP‑361 represent one of the most significant conceptual shifts since SegWit and Taproot, precisely because they touch the foundational question of what it means to “own” coins.
– Mass of legacy coins
No other chain has as much value locked in decade‑old outputs with permanently exposed public keys. This makes the question of freezing or migrating dormant balances far more consequential for Bitcoin than for most competitors.
– Ecosystem inertia
The sheer number of wallets, exchanges, and custodians involved means that any quantum‑safe migration path must be not only technically sound but also operationally feasible. Coordination, testing, and staged rollouts will likely take years.
In that context, Bitcoin’s stepwise plan – first define a quantum‑safe destination (BIP‑360), then debate and refine the rules for moving and safeguarding vulnerable coins (BIP‑361) – reflects a characteristically incremental strategy rather than a sudden overhaul.
—
What this means for ordinary Bitcoin holders
For most everyday users, the near‑term implications are less dramatic than the headlines suggest, but not zero.
Several key points:
– Funds in unspent, modern addresses are safer for longer
If your BTC sits in standard P2PKH or SegWit addresses and you have never spent from them, your public keys are not yet exposed. A quantum attacker cannot target them directly today. However, as soon as you spend, those keys will appear on‑chain.
– Eventually, everyone will be encouraged to migrate
Over time, wallets and exchanges are expected to add support for BIP‑360 addresses. Best practice will shift toward moving funds from elliptic‑curve‑based addresses into quantum‑resistant ones, especially for long‑term storage.
– Hardware and software updates will matter
To benefit from post‑quantum protections, users will need updated wallet software – and, in some cases, new hardware designed to handle larger keys and signatures securely. Paying attention to wallet vendor announcements will become more important.
– Custodial users depend on their providers
If you hold BTC on an exchange or in a custodial service, your exposure is mediated by their infrastructure. Reputable custodians will likely run their own migration strategies to quantum‑safe storage, but users may want to monitor and, where possible, inquire about those plans.
The good news is that the transition is being discussed well in advance. There is no need for panic selling or rushed action. But ignoring the topic entirely for the next decade may prove unwise.
—
Practical steps holders can start considering
Even before BIP‑361 is finalized, there are prudent actions long‑term holders can take:
1. Audit your address history
Identify which of your coins sit in outputs whose public keys are already exposed (i.e., they have been spent at least once) versus truly unspent modern outputs. Many wallet tools can help map this.
2. Avoid unnecessary address reuse
Reusing addresses increases the surface area of exposed keys. Using fresh addresses for receiving funds helps limit future quantum risk.
3. Plan for wallet upgrades
Choose wallets with a track record of adopting new Bitcoin standards. When post‑quantum address support becomes widely available, be prepared to move long‑term holdings there.
4. Stay informed about consensus changes
Migration deadlines, if any are agreed upon, will be communicated years in advance. Following reliable technical summaries can ensure you are not caught off guard.
5. Consider layered security approaches
Some post‑quantum strategies may involve using multiple signature schemes or multisig constructions that reduce reliance on any single cryptographic assumption.
By approaching the transition as a slow‑burn process rather than a last‑minute scramble, holders can maintain control and minimize the risk of forced, stressful decisions later.
—
The bigger picture: a test of Bitcoin’s governance
The shift toward quantum‑resistant Bitcoin is more than a cryptography upgrade; it is a stress test of the network’s social and governance norms.
Questions now on the table include:
– How far can Bitcoin go in altering the life cycle of coins without undermining the promise of immutability?
– Is it acceptable to proactively protect dormant holders, even if some might have chosen to accept quantum risk instead?
– How should the system treat “ownerless” coins whose keys are likely lost? Leave them to be grabbed by the first quantum thief, or render them permanently inert?
The answers will not come from any single developer or institution. They will emerge from a messy, often adversarial process of discussion, implementation, testing, and, if necessary, user‑driven signaling. In that sense, the quantum transition is a microcosm of what has defined Bitcoin from the start: consensus by rough agreement, expressed through running code.
—
From theoretical risk to managed transition
Quantum computers powerful enough to break Bitcoin’s elliptic‑curve signatures do not exist today. They may still be decades away. But with BIP‑360 already merged and BIP‑361 under intense discussion, Bitcoin has moved from hand‑waving about “future upgrades” to laying down concrete rails for a post‑quantum era.
For developers, that means years of careful engineering and cryptanalysis. For large custodians, it means designing migration plans, auditing key management, and upgrading infrastructure. For individual holders, it will gradually mean learning a new address format, updating wallets, and deciding when to move long‑term holdings into quantum‑resistant shelters.
The underlying goal remains the same as it has always been: ensure that owning Bitcoin means having a durable, technologically robust claim on your coins – not just against today’s attackers, but against those that may emerge from tomorrow’s physics labs.