Bitcoin’s Quantum Migration Playbook — Every Proposal Compared

digitado ⋅ 23 de April de 2026

On March 31, 2026, two research papers dropped on the same day and rewrote everything we thought we knew about Bitcoin’s quantum timeline. Google’s Quantum AI team, alongside researchers from Stanford and the Ethereum Foundation, published findings showing that breaking Bitcoin’s ECDSA encryption could require fewer than 500,000 physical qubits — a roughly 20-fold reduction from prior estimates that hovered in the millions. The same day, a Caltech/Oratomic paper demonstrated that neutral-atom architectures could push that number even lower, to around 10,000 physical qubits.

I’ve been covering crypto and blockchain since 2020. I’ve written about NFTs, DeFi insurance, and even the environmental cost of minting tokens. But nothing I’ve covered carries the existential weight of what’s unfolding right now in the quantum space. This isn’t theoretical physics anymore. This is an engineering countdown.

The window for orderly migration is open. It will not stay open indefinitely.

Let me walk you through every major proposal on the table, what each one actually does, what it sacrifices, and which combination might be Bitcoin’s best shot at surviving the post-quantum era.

The Threat in Plain Language

Bitcoin’s security rests on a mathematical trapdoor: going from a private key to a public key takes milliseconds, but reversing that operation would take a classical computer longer than the age of the universe. A quantum computer running Shor’s algorithm can walk through that trapdoor in reverse.

Google’s March 2026 whitepaper designed two optimized attack circuits, each requiring roughly 1,200 to 1,450 logical qubits. Under their model, a quantum attacker could derive a private key from an exposed public key and hijack a Bitcoin transaction in approximately nine minutes — just under Bitcoin’s typical 10-minute block confirmation window. The probability of success: about 41%.

That’s not a distant theoretical exercise. That’s a race condition.

Approximately 6.9 million BTC already sit in wallets where public keys have been exposed through past spending, address reuse, or certain wallet patterns. This includes roughly 1.7 million coins from Bitcoin’s earliest days — some possibly linked to Satoshi Nakamoto’s holdings.

Bitcoin’s 2021 Taproot upgrade, while improving privacy and efficiency, actually made public keys visible on the blockchain by default. Analyst Willy Woo noted that Taproot usage dropped from 42% of transactions in 2024 to just 20%, calling it an unusual reversal and explicitly calling Taproot “quantum vulnerable.”

So where do we go from here? Let’s compare every serious proposal.

Proposal 1: BIP-360 — Pay-to-Merkle-Root (P2MR)

Status: Merged into Bitcoin’s official BIP repository, February 2026 Authors: Hunter Beast (MARA), Ethan Heilman, Foxen Duke Type: Soft fork Testnet: Live since March 2026 — 50+ miners, 100,000+ blocks, 100+ cryptographer contributors

BIP-360 is the flagship proposal and has generated more developer discussion than any proposal in Bitcoin’s history. It introduces a new output type called Pay-to-Merkle-Root (P2MR), where the cryptographic key is never visible — not even when funds are spent. Under current Bitcoin design, spending from an address is like opening a locked box on your front porch: the key becomes visible the moment you use it. BIP-360 eliminates that exposure entirely.

New addresses would start with bc1z using bech32m encoding. The proposal supports three NIST-favored post-quantum signature algorithms:

CRYSTALS-Dilithium (ML-DSA) — lattice-based, strong performance
FALCON (FN-DSA) — lattice-based, compact signatures
SPHINCS+ (SLH-DSA) — hash-based, conservative and trusted

BTQ Technologies released Bitcoin Quantum testnet v0.3.0, implementing full P2MR consensus with five Dilithium post-quantum signature opcodes enabled in tapscript context and end-to-end CLI wallet tooling.

What it solves: At-rest protection for new addresses. No public key exposure on-chain, even during spending.

What it doesn’t solve: Legacy coins. If your BTC sits in an old address format with an exposed public key, BIP-360 alone won’t protect those funds. It also doesn’t address the “on-spend” attack window for transactions already in the mempool.

The trade-off: Post-quantum signatures are significantly larger than traditional Bitcoin signatures. A standard ECDSA signature is about 70 bytes; a PQC signature can run into several kilobytes. That means higher transaction fees and more witness data per block.

Timeline reality: Bitcoin’s governance is intentionally conservative. SegWit took approximately 8.5 years from conception to adoption. Taproot took about 7.5 years. Even with unprecedented urgency, BIP-360’s path from merged proposal to mainnet activation will not be quick.

Proposal 2: QRAMP — Quantum-Resistant Address Migration Protocol

Status: Draft BIP, under active debate on Bitcoin Development Mailing List Author: Agustin Cruz Type: Hard fork consensus change

QRAMP takes the hardest possible line. It proposes a mandatory migration period during which all users must move their BTC from legacy ECDSA-based addresses to quantum-resistant addresses. After the deadline, any UTXOs still sitting in old address types would become unspendable by consensus rule.

In plain terms: if you don’t move your coins before the clock runs out, they’re burned.

Cruz argues this provides “rightful owners with a clear, non-negotiable opportunity to secure their funds.” The logic is straightforward — it eliminates the honeypot of exposed keys that a future quantum attacker could drain.

What it solves: It removes the entire class of legacy vulnerability. After the migration deadline, there would be zero quantum-vulnerable coins on the network.

What it doesn’t solve: The moral problem. Imagine the “Auntie Alice” scenario — a person stores Bitcoin in cold storage as inheritance, doesn’t follow crypto news, and passes away. By the time heirs discover the wallet, the deadline has passed. Those coins are gone.

The trade-off: This proposal effectively alters Bitcoin’s supply. Burned coins are permanently removed from circulation. Estimates suggest 3.5 to 5.5 million Bitcoin have exposed public keys — that’s 17% to 28% of circulating supply. The community pushback is severe, and for good reason: Bitcoin’s immutability promise is at stake.

Community sentiment: Highly contentious. Many developers argue that allowing quantum computers to eventually unlock dormant coins, while inflationary, is preferable to destroying them. Others counter that without a hard deadline, there’s no incentive for migration.

For more context on Bitcoin’s cryptographic foundations, see HackerNoon’s blockchain explainers.

Proposal 3: QSAVE — Quantum Secure Asset Verification & Escrow

Status: Draft BIP, proposed on bitcoindev mailing list Type: Protocol-level escrow mechanism

QSAVE positions itself as the middle path between QRAMP’s burn-it-all approach and doing nothing. It proposes a non-sovereign wealth fund that provides protective custody for Bitcoin vulnerable to quantum attack. Instead of burning coins, QSAVE would move vulnerable UTXOs into an escrow structure where 100% of the principal is preserved for rightful owners.

The recovery process would require proof of ownership — keys, legal documentation, or other evidence. The proposal draws analogies to real-world lost-and-found departments, citing legal precedents where temporary custody without intent to permanently deprive does not constitute theft.

What it solves: It preserves ownership rights while removing vulnerable coins from the attackable surface. Heirs, long-term holders, and people in difficult circumstances don’t lose their funds.

What it doesn’t solve: Decentralization. The escrow mechanism requires some form of governance body to adjudicate claims. Many developers argue this introduces KYC-like requirements and centralised decision-making that fundamentally conflict with Bitcoin’s ethos. One critic on the mailing list wrote that “no one who owns Bitcoin would run a node which subscribes to such consensus rules.”

The trade-off: It’s the most complex proposal to implement and govern. The verification process would need to be fair, transparent, and resistant to abuse — a tall order in a system designed to be trustless.

Proposal 4: OP_CAT + Lamport Signatures (BIP-347)

Status: Active proposal Authors: Ethan Heilman, Armin Sabouri Type: Soft fork (opcode reactivation)

This is the dark horse. BIP-347 proposes reintroducing OPCAT, an opcode that Satoshi himself removed in 2010, back into Bitcoin’s Tapscript. The key insight: OPCAT enables the creation of Lamport signatures — a post-quantum signature scheme that requires only the ability to hash and concatenate values on the stack.

As Jeremy Rubin noted: “OP_CAT existed in Bitcoin until 2010, when Satoshi ‘secretly’ forked out a bunch of opcodes. So in theory the original Bitcoin implementation supported post-quantum cryptography out of the box.”

With OP_CAT enabled, users could mark their Taproot outputs as “script-path only” and move their coins into Lamport-protected outputs. This provides a quantum-safe option without requiring a massive protocol overhaul.

What it solves: It gives users an opt-in path to quantum safety using existing Bitcoin infrastructure, with minimal protocol disruption.

What it doesn’t solve: Lamport signatures are one-time use and very large. Each signature can consume significant block space. It’s a tactical fix, not a comprehensive long-term solution.

The trade-off: Elegant simplicity versus practical scalability. OP_CAT is small enough to gain consensus quickly, but Lamport signatures aren’t a permanent answer for a network processing hundreds of thousands of transactions daily.

For a deep dive into Bitcoin scripting, see HackerNoon’s programming section.

Proposal 5: Blockstream’s SHRINCS Hash-Based Signatures

Status: Research paper (December 2025), live testing on Liquid sidechain (March 2026) Lead: Adam Back (Blockstream CEO), 20-person research team

Adam Back’s approach is characteristically methodical. Blockstream published a comprehensive research paper in December 2025 proposing hash-based signatures (specifically the SHRINCS scheme) as Bitcoin’s post-quantum path. The team began live testing on Blockstream’s Liquid sidechain in March 2026.

Back’s position: “We don’t have to agree about the timeline for quantum computers to become powerful enough to be a threat, because the prudent thing to do is to prepare Bitcoin and give people the option to migrate their keys to a quantum-ready format, and to have, let’s say, a decade in which to do that.”

What it solves: Both at-rest and on-spend attack vectors. Unlike BIP-360 alone, which primarily addresses at-rest vulnerability, SHRINCS-style signatures protect the transaction itself during broadcasting.

What it doesn’t solve: Legacy and dormant coins still need a separate migration strategy. The Liquid sidechain testing environment also doesn’t replicate the political complexity of deploying changes on Bitcoin mainnet.

The trade-off: Hash-based signatures are conservative and well-understood cryptographically, but they’re larger than lattice-based alternatives. Blockstream’s approach prioritises security confidence over signature efficiency.

Proposal 6: Winternitz Vault (Ethereum-adjacent, but relevant)

Status: Conceptual design, December 2025 Ecosystem: Originally proposed for Ethereum, applicable pattern for Bitcoin

While not a Bitcoin proposal per se, the Winternitz Vault concept deserves mention because it represents a design pattern that could influence Bitcoin’s approach. The idea: users can opt into storing assets in smart contract-based vaults secured by hash-based, one-time signatures — an approach widely considered quantum-resistant.

Unlike a protocol-level overhaul, vaults function as an additional security layer. Users concerned about long-term quantum risk can opt in while the broader network continues operating unchanged.

Why it matters for Bitcoin: The vault pattern suggests that quantum protection doesn’t have to be all-or-nothing. A layered approach — where users can voluntarily upgrade their security posture — might be more politically feasible than any mandatory migration.

Proposal 7: Private Mempools + Operational Mitigations

Status: Already available (e.g., Slipstream service by MARA) Type: No protocol change required

This isn’t a BIP — it’s a practical defence that works today. The idea: instead of broadcasting transactions to the public mempool where an attacker can see (and potentially attack) your public key, you submit transactions directly to a mining pool’s private mempool.

Google’s own whitepaper specifically recommended this mitigation: stop reusing wallet addresses, avoid exposing public keys unnecessarily, and support private mempool services.

For large holders, this is the smart move right now, before any protocol upgrade lands. It mitigates the “short exposure” attack where a quantum computer attempts to derive your private key from a public key that’s visible in the mempool during the 10-minute confirmation window.

What it solves: Short-exposure attacks on in-flight transactions.

What it doesn’t solve: Long-exposure attacks on coins with already-exposed public keys. It’s also not decentralised — it requires trusting a specific mining pool.

Read more about crypto security practices on HackerNoon’s cybersecurity section.

The Comparison Matrix

My Take: The Dual-Track Strategy

After studying the Chaincode Labs research paper, the BIP-360 testnet results, Google’s whitepaper, and the community debates, I believe Bitcoin needs a dual-track approach:

Track 1 — Emergency preparedness (0–2 years): Deploy BIP-360 as the quantum-resistant address foundation. Simultaneously, encourage adoption of private mempools and best practices (no address reuse, migration to bc1 addresses). These are available now and reduce the attack surface immediately.

Track 2 — Comprehensive migration (2–7 years): Build consensus on how to handle legacy coins. QRAMP is too aggressive; QSAVE is too centralised. The most likely outcome is a hybrid: a long migration window (Adam Back’s “decade” proposal) combined with BIP-360’s new address types, where legacy address spending is eventually deprecated through a graduated, multi-year phase-out rather than a hard cutoff.

The OP_CAT approach (BIP-347) deserves attention as a fast-deploying bridge solution that could provide quantum safety to security-conscious users while the larger infrastructure catches up.

Critically, Blockstream’s SHRINCS research on Liquid gives us a production-grade testbed for hash-based signatures without risking Bitcoin mainnet stability.

The Clock Is Ticking

Jameson Lopp said it best: making thoughtful protocol changes and orchestrating an unprecedented migration of funds “could easily take 5 to 10 years.” The March 2026 papers from Google and Oratomic didn’t move Q-Day to tomorrow — but they compressed the timeline significantly.

The Bitcoin community has historically been slow and deliberate with upgrades, and for good reason. But the quantum challenge is different from any previous upgrade debate. SegWit was about scalability. Taproot was about privacy. This is about whether the mathematical foundation holding trillions of dollars remains sound.

We have time. We don’t have unlimited time.

Like 0

Liked Liked