In June 2024, a Bitcoin developer named Hunter Beast introduced BIP 360, also known as “Pay to Quantum Resistant Hash” (P2QRH), a new address format aimed at future-proofing Bitcoin transactions and ensuring your hodl assurances remain secure on the blockchain, as they have for over a decade.
While debates over block sizes, spam transactions & lower block rewards grab headlines, BIP 360 addresses a looming threat that could render Bitcoin’s entire cryptographic foundation obsolete—the advent of quantum computers capable of breaking the elliptic-curve cryptography that secures every Bitcoin wallet in existence today.
Is this threat real? In the short term, no! It all depends on your time frame.
The determining factor for this threat is how quickly improvements in optimising physical and logical computation and in the stability of quantum computing occur over the next 1 – 4 decades, but it’s far from science fiction.
Recent developments like Google’s “Willow” quantum chip and Microsoft’s Majorana 1 chip have brought the quantum threat into sharp focus, forcing the Bitcoin community to confront an uncomfortable reality.
The clock is ticking, and Bitcoin’s current security model has an expiration date.
Understanding the Quantum Threat: What’s Actually at Risk?
So why are quantum computers threatening Bitcoin’s security? —and why this threat is fundamentally different from the challenges Bitcoin has faced before.
The Two Quantum Algorithms That Threaten Bitcoin
Quantum computers leverage two powerful algorithms that directly threaten cryptographic systems: Shor’s Algorithm and Grover’s Algorithm.
Shor’s Algorithm: The Existential Threat
Developed by Peter Shor in 1994, this algorithm represents the primary danger to Bitcoin. Shor’s algorithm can solve discrete logarithm problems in polynomial time—problems that currently secure Bitcoin’s Elliptic Curve Digital Signature Algorithm (ECDSA).
Here’s what this means in practical terms: On traditional computers, deriving a Bitcoin private key from a public key would take on the order of 2^128 basic operations—effectively impossible. However, a sufficiently large quantum computer running Shor’s algorithm could accomplish this in roughly 128^3 quantum operations, or a few million steps.
The implications are stark: any Bitcoin address that has broadcast a transaction has an exposed public key, and a quantum computer using Shor’s algorithm could derive the private key, allowing an attacker to spend those bitcoins without authorisation.
Grover’s Algorithm: The Secondary Concern
Grover’s algorithm provides a quadratic speedup for unstructured search problems, affecting hash functions like SHA-256. While less immediately threatening than Shor’s algorithm, Grover’s algorithm could reduce the work to brute-force a SHA-256 hash from 2^256 operations to 2^128 operations.
For Bitcoin mining and address hashing, this represents a theoretical long-term concern but not an immediate crisis. The real danger lies in Shor’s algorithm and its ability to break public-key cryptography.
Which Bitcoin Addresses Are Vulnerable?
Now, before you sell all your Bitcoin for fiat and claim it’s so over, there are a few caveats. Not all Bitcoin addresses face equal quantum risk.
The vulnerability hierarchy is as follows:
Most Vulnerable: Pay-to-Public-Key (P2PK) Addresses
Before 2012, Bitcoin block rewards were paid directly to public keys rather than hashed addresses. All of Satoshi Nakamoto’s estimated one million coins, representing more than 5% of all Bitcoin in circulation, are stored in these P2PK addresses with fully exposed public keys.
These addresses are the most vulnerable because their public keys are permanently visible on the blockchain, giving quantum attackers unlimited time to work.
Highly Vulnerable: Taproot Addresses (P2TR)
Taproot addresses, which start with “bc1p,” use Schnorr signatures and expose the public key (or a tweaked version) on-chain, making them vulnerable to Shor’s algorithm, similar to P2PK addresses.
The irony is painful: Taproot, activated in 2021 as Bitcoin’s most advanced upgrade for privacy and smart contract functionality, inadvertently created a new quantum vulnerability by exposing public keys.
Vulnerable After First Spend: Legacy and SegWit Addresses
Pay-to-Public-Key-Hash (P2PKH) and Pay-to-Witness-Public-Key-Hash (P2WPKH) addresses offer better quantum resistance because they hash the public key. The public key must be revealed only when you spend funds from these addresses.
This creates a window of vulnerability: public keys are vulnerable while transactions remain in the mempool waiting for miners to include them in a block. Once the transaction confirms and you don’t reuse the address, the quantum threat ends—until you need to spend again.
However, address reuse—a common practice despite security recommendations against it—permanently exposes these public keys, leaving funds vulnerable.
The Timeline: When Does Quantum Computing Become a Real Threat?
The quantum computing timeline remains uncertain, but the trend is alarming.
As of 2024, cryptography standards like ECRYPT II suggest Bitcoin’s 256-bit ECDSA keys are secure until at least 2030-2040. However, according to BTQ’s quantum risk calculator, breaking Bitcoin ECDSA using Shor’s algorithm could happen as early as 2032 under optimistic assumptions, and as far as 2048 under pessimistic ones.
In 2022, University of Sussex researchers estimated that a quantum computer would need between 13 and 300 million qubits to crack ECDSA in a reasonable timeframe of 1-8 hours. For context, Google’s Willow quantum computer has 105 qubits, meaning we’re still several orders of magnitude away from the threshold.
But progress is accelerating. IBM’s Heron quantum processor turned out to have gate times 100x faster than estimated in 2022, suggesting that with only 360 qubits, it might be possible to decrypt a single address within a year. That’s still far from practical attacks, but it proves what was previously only theoretical.
The reality is that quantum computing progress is non-linear. Bitcoin’s Q-Day—the day quantum computers can break Bitcoin cryptography—may not be sudden and obvious, and coordination of a soft fork activation takes time.
What Does “Quantum-Resistant” Actually Mean?
Quantum resistance doesn’t mean quantum computers can’t interact with the cryptography at all—it means that quantum computers provide no meaningful advantage over classical computers in attacking these systems.
Post-quantum cryptography relies on mathematical problems that remain hard even for quantum computers. Rather than using problems that Shor’s algorithm solves efficiently (like factoring large numbers or solving discrete logarithms), quantum-resistant algorithms use problems like:
- Lattice problems: Finding short vectors in multi-dimensional lattices
- Hash-based problems: Inverting cryptographic hash functions
- Code-based problems: Decoding random linear codes
- Multivariate polynomial problems: Solving systems of multivariate equations
These mathematical structures resist quantum attacks because no known quantum algorithm provides exponential speedup for solving them. Even with Grover’s algorithm providing quadratic speedup, the security margins remain sufficiently large.
Introducing BIP 360: Pay to Quantum Resistant Hash (P2QRH)
BIP 360, authored by Hunter Beast, proposes introducing post-quantum cryptography into Bitcoin by creating new “pay-to-quantum-resistant-hash” (P2QRH) address types that use quantum-resistant signature algorithms.
The Core Innovation: Multiple Signature Algorithm Options
BIP 360 proposes using post-quantum cryptography—specifically FALCON and CRYSTALS-Dilithium signatures—which cannot be broken by known quantum algorithms.
These aren’t arbitrary choices. Both FALCON and CRYSTALS-Dilithium are among the four algorithms selected by the US National Institute of Standards and Technology (NIST) for post-quantum cryptography standardisation after years of rigorous evaluation.
Why Two Algorithms?
BIP 360 initially considered four algorithms but was reduced to provide multiple signature algorithm options for users to select their desired level of security, with the understanding that it’s not 100% certain all these algorithms will remain quantum resistant for all time.
This redundancy is intentional. If one algorithm is eventually broken (either by quantum or classical advances), Bitcoin users have fallback options without requiring another consensus change.
How P2QRH Addresses Work?
BIP 360 introduces a new address format that will start with “bc1r” (using Bech32m encoding, similar to Taproot’s “bc1p” addresses). These addresses represent a fundamental shift in how Bitcoin secures funds.
The Address Structure
P2QRH uses a 32-byte HASH256 (specifically SHA-256 applied twice) of the public key to reduce the size of new outputs and increase security by not having the public key available on-chain.
This approach is crucial: by hashing the quantum-resistant public key, P2QRH addresses remain compact while hiding the public key until spending time. This maintains Bitcoin’s defense-in-depth approach where public keys aren’t exposed unless necessary.
The Signature Algorithms
Let’s examine the two primary quantum-resistant signature schemes proposed in BIP 360:
CRYSTALS-Dilithium (ML-DSA)
Dilithium is a lattice-based digital signature algorithm chosen as NIST’s primary standard for digital signatures. It produces signatures quickly and verifies efficiently, with relatively compact sizes for the lattice category.
Dilithium uses lattice-based Fiat-Shamir schemes and produces one of the smallest signatures of all post-quantum methods. The algorithm offers three security levels:
- Dilithium2: ~2,420 byte signatures (128-bit security)
- Dilithium3: ~3,293 byte signatures (192-bit security)
- Dilithium5: ~4,595 byte signatures (256-bit security)
Public keys range from 1,312 to 2,592 bytes, and private keys from 2,528 to 4,864 bytes depending on the security level.
FALCON
FALCON is an alternative lattice-based signature scheme that provides even smaller signature sizes using advanced mathematics (FFT over NTRU lattices), which is useful for constrained environments, though it is more complex to implement.
FALCON offers two security levels: FALCON512 with 690-byte signatures and 897-byte public keys (128-bit security), and FALCON1024 with 1,330-byte signatures and 1,793-byte public keys (256-bit security).
While FALCON signature verification is relatively easy to implement and fast, signature generation is much more complicated and very hard to implement securely. This complexity-performance tradeoff is why NIST selected both algorithms rather than forcing a single choice.
The Performance Tradeoffs
The elephant in the room is size. Quantum-resistant signatures are dramatically larger than current ECDSA signatures:
- Current ECDSA signatures: ~71 bytes
- FALCON512 signatures: ~690 bytes (9.7x larger)
- Dilithium2 signatures: ~2,420 bytes (34x larger)
- Dilithium5 signatures: ~4,595 bytes (64.7x larger)
These size increases have direct implications:
- Block Space Impact: Larger signatures mean fewer transactions per block, reducing Bitcoin’s already limited throughput. An October 2024 paper by University of Kent researchers estimates that a full migration of vulnerable addresses would take 76 days assuming all Bitcoin transactions are migration transactions, or roughly 2 years if 25% of block space is allocated to migration transactions.
- Fee Market Dynamics: Larger transactions require more block space, meaning higher fees. Users will need to pay significantly more to move funds secured by quantum-resistant addresses.
- UTXO Set Size: Public keys for quantum-resistant schemes are also larger, increasing the size of the UTXO set that full nodes must store.
- Verification Time: The original BIP 360 considered SQIsign but removed it because it has 15,000x slower verification compared to ECC—if it takes 1 second to verify a fully ECC block, it would take 4 hours to validate a block filled with SQIsign transactions.
These tradeoffs aren’t deal-breakers, but they expose the costs that the Bitcoin community must accept to preserve long-term security.
Why Old Address Schemes Are at Risk?
The fundamental vulnerability in Bitcoin’s current address schemes stems from the mathematical hardness assumptions underlying elliptic curve cryptography.
The ECDSA Vulnerability
Bitcoin uses the secp256k1 elliptic curve with ECDSA signatures. The security of ECDSA relies on the difficulty of the elliptic curve discrete logarithm problem (ECDLP)—given a public key, it’s computationally infeasible to figure out the private key with classical computers.
Shor’s algorithm directly threatens this security by solving discrete log problems in polynomial time. What takes classical computers 2^128 operations (effectively impossible) becomes feasible for quantum computers.
The Exposure Problem
Even addresses that hash public keys face exposure during spending:
- Transaction Broadcasting: When you create a transaction, you must reveal your public key in the scriptSig or witness data to prove you’re authorised to spend the UTXO.
- Mempool Vulnerability: Your transaction sits in the mempool—potentially for minutes or hours during congestion—with your public key fully exposed.
- The Attack Window: A quantum attacker could monitor the mempool, identify high-value transactions, derive the private key using Shor’s algorithm, and broadcast a competing transaction with a higher fee to steal the funds.
This “short exposure attack” becomes more dangerous as quantum computers get faster. Currently, the time from broadcast to confirmation provides protection—but that protection evaporates as quantum computing advances.
The Address Reuse Catastrophe
Ethereum’s account model (where users reuse the same address continually) makes its exposure to quantum attacks even greater than Bitcoin’s, as public keys get revealed with the first transaction and remain permanently exposed.
Bitcoin users who reuse addresses face the same problem. Once you’ve spent from an address, its public key is forever visible on the blockchain. If you receive new funds to that same address, those funds are permanently vulnerable to quantum attack with unlimited time to prepare.
Taproot’s Unintended Consequence
The 2021 Taproot upgrade brought powerful privacy and smart contract improvements but inadvertently created a new quantum vulnerability class. Taproot addresses expose the public key (or a tweaked version) directly, making them vulnerable to long-exposure quantum attacks similar to Satoshi’s P2PK coins.
This wasn’t an oversight—Taproot’s design requires public key exposure for its efficiency and privacy benefits. The designers made a calculated tradeoff, betting that quantum threats remained distant enough to be addressed later. BIP 360 is that “later.”
The Migration Challenge: Getting Bitcoin Users to Quantum-Resistant Addresses
Creating quantum-resistant addresses is the easy part. The hard part is migrating Bitcoin’s existing ~2 million BTC in exposed or vulnerable addresses to secure P2QRH addresses before quantum computers arrive.
The Voluntary Migration Problem
River estimates that roughly 1.6 million Bitcoin are lost, plus Satoshi’s estimated holdings of 968,000 BTC—coins that may never be migrated to safe addresses.
Lost coins can’t be migrated because no one controls the private keys. But they represent a permanent quantum vulnerability: once quantum computers become sufficiently powerful, these coins become “fair game” for anyone with the technology.
The Dormant Coin Dilemma
In 2020, Deloitte estimated that 25% of circulating Bitcoin are linked to old address types vulnerable to quantum attacks. Many of these coins belong to:
- Long-term holders who’ve forgotten their keys
- Early adopters who lost access
- Deceased individuals without inheritance plans
- Hodlers who simply aren’t paying attention to protocol developments
What happens to these coins? The community faces difficult choices:
Option 1: Allow Quantum “Unlocking”
Some argue for letting those with quantum computers “free up old coins,” viewing any inflationary impact as transitory and supporting the return of lost coins to circulation.
This approach treats quantum vulnerability as a feature, not a bug—a way to recycle lost coins back into the active supply. However, it creates perverse incentives for quantum computing development specifically to attack Bitcoin.
Option 2: Forced Migration with Confiscation
Others argue that old coins must be “confiscated” through a soft fork that makes legacy addresses unspendable after a migration period. This prevents quantum attacks but represents an unprecedented intervention in Bitcoin’s immutability.
A proposal called QRAMP (Quantum-Resistant Address Migration Protocol) suggests exactly this approach: Phase A would ban sending funds to legacy ECDSA/Schnorr addresses three years after BIP 360 implementation, Phase B would make all legacy signatures invalid two years later, permanently freezing coins in quantum-vulnerable addresses.
This would be Bitcoin’s most controversial change ever, potentially affecting millions of coins including Satoshi’s legendary holdings.
Option 3: Rely on Economic Incentives
Perhaps users will migrate voluntarily once quantum threats become credible, driven by self-interest rather than protocol mandates. However, if quantum capabilities emerge suddenly, coordinated soft fork activation takes time and shouldn’t be rushed, potentially leaving a dangerous gap.
The Timeline Pressure
BIP 360 faces a coordination challenge: it must be deployed soon enough that users have time to migrate before quantum threats materialise, but not so early that the costs and disruption seem unjustified relative to a theoretical threat.
The development of Google’s Willow quantum chip has shed light on this vulnerability in recent news, calling into question the time left until Q-Day. A smooth and effective quantum-resistant transition plan for Bitcoin could take several years to execute at the BIP level, software level, infrastructure level, and user-transition level, with more prep time inevitably leading to better security outcomes.
The community must begin now to have any hope of orderly migration before crisis strikes.
The Broader Implications: What BIP 360 Means for Bitcoin’s Future
BIP 360 represents more than a technical upgrade—it’s a test of Bitcoin’s ability to evolve when faced with existential threats.
Precedent for Emergency Soft Forks
If BIP 360 or a successor gets activated, it would establish precedent for major cryptographic changes to Bitcoin’s core protocol. This could be viewed positively (Bitcoin can adapt to threats) or negatively (developers can push through major changes when sufficiently motivated).
Without discussing potential solutions now, Bitcoin risks either a rushed and unilaterally-implemented emergency activation by Bitcoin Core maintainers at best, or a potentially fatal security breach at worst.
The Cost of Security
Quantum resistance isn’t free. The performance penalties—larger transactions, higher fees, slower verification—represent a real cost that Bitcoin users must accept to preserve long-term security. This forces difficult questions about Bitcoin’s core value proposition: is decentralisation and self-sovereignty worth paying for with reduced efficiency?
The Altcoin Implications
Beyond Bitcoin and Ethereum, virtually all major cryptocurrencies rely on similar cryptographic assumptions and would face similar perils with quantum computers—most blockchains use elliptic curve signatures broken by Shor’s algorithm.
Bitcoin’s decisions around quantum resistance will likely influence the entire cryptocurrency ecosystem. As the largest and most conservative blockchain, Bitcoin’s approach to post-quantum security will set standards that others follow.
For those that choose not to upgrade in time, quantum computing could become a great culling moment for altcoins.
The Satoshi Question
Satoshi Nakamoto’s one million coins, representing more than 5% of all Bitcoin in circulation, are exposed via P2PK addresses vulnerable to quantum attacks, but also serve as a honeypot that can sound the alarm that old coins are vulnerable.
If any old P2PK output is publicly hacked—especially Satoshi’s wallet—it could harm trust in Bitcoin and, most likely, overnight wipe out a lot of the value as the market comes to grips with these new coins back in circulation.
This creates a unique situation: Satoshi’s coins becoming vulnerable to quantum theft could paradoxically prove that quantum threats are real and immediate, triggering rapid community action.
But by that point, the damage to Bitcoin’s reputation might be irreparable.
For most people, the quantum threat flies right over their heads, and explaining the nuance would be hard, so panic would likely ensue the moment word got out that “Bitcoin was breached”.
Would it be the end of Bitcoin? I doubt it!
Would it be a great time to load up on cheap sats as Quantum hacked coins are dumped and panic sellers exit?
Absolutely, go to town and move your funds to a new address scheme and wait out the eventual madness, is likely my game plan should Q day come rolling around.
The Current Status and Path Forward
As of late 2024, BIP 360 remains in draft stage with ongoing community discussion and technical refinement.
Active Development
BIP 360 author Hunter Beast is working on an implementation for Anduro (a Bitcoin sidechain project), and is transparent about his employment by MARA. This allows real-world testing of quantum-resistant signatures in a Bitcoin-compatible environment without risking mainnet.
The implementation uses a fork of rust-bitcoin and models after Steven Roose’s work on BIP-346, with the goal of providing concrete technical demonstrations to support the proposal.
Community Feedback
One major concern raised is that introducing multiple new algorithms adds complexity to the network, wallets, and applications. Finding the right balance between security, redundancy, and implementation simplicity remains an open question.
The Bitcoin development community has yet to reach consensus on:
- Whether quantum threats justify immediate action
- Which specific algorithms to include
- How to handle the migration of existing coins
- Whether forced migration should ever be considered
The Complementary P2TRH Proposal
Alongside P2QRH, discussions include Pay-to-Taproot-Hash (P2TRH) as a post-quantum mitigation strategy. This approach would hash Taproot public keys rather than exposing them directly, providing quantum resistance while maintaining Taproot’s other benefits.
P2TRH represents a more conservative approach—keeping existing cryptography but hiding public keys better. However, it only protects against long-exposure attacks, not short-exposure mempool attacks during spending.
What Bitcoin Users Can Do Now?
While BIP 360 works through the standardisation process, Bitcoin holders can take steps to minimise quantum vulnerability:
Address Management Best Practices
- Never Reuse Addresses: Generate a new address for every transaction. This limits public key exposure to the brief window during spending rather than creating a permanent vulnerability.
- Avoid Taproot for Long-Term Storage: While Taproot offers benefits for privacy and smart contracts, its public key exposure makes it suboptimal for coins you intend to hold for decades.
- Prioritise P2WPKH for Cold Storage: Native SegWit addresses (starting with “bc1q”) offer the best combination of current features and quantum resistance through public key hashing.
- Consider Time Horizons: If you’re holding Bitcoin for 5-10 years, quantum threats may remain theoretical. If you’re planning a multi-generational wealth transfer, quantum resistance becomes critical.
Stay up to date with Quantum News and FUD
The main obstacle for a quantum computer is to have enough stable, error-corrected qubits (quantum bits) that can maintain an ideal state long enough to run through every combination possible to decode an encryption scheme.
1. Insufficient Qubit Count
The single biggest roadblock is the sheer number of qubits required.
- To break a standard 2048-bit RSA key—a common encryption standard today—a quantum computer would need an estimated 3,000 to 4,000 logical qubits.
- Current leading-edge quantum computers have physical qubit counts in the hundreds, but they are still far from the necessary number of logical qubits needed for a complex algorithm like Shor’s.
2. High Error Rates and Decoherence
Quantum systems are extremely fragile, leading to high error rates.
- Decoherence: Qubits are highly sensitive to environmental noise (like stray electromagnetic fields or temperature fluctuations). This causes the quantum state to collapse, or “decohere,” losing the information they hold before the calculation is complete.
- Need for Error Correction: To counteract decoherence, quantum computers need Quantum Error Correction (QEC). This requires combining many physical qubits to form a single, highly stable logical qubit. Current estimates suggest that between 1,000 and 10,000 physical qubits may be needed to create just one reliable logical qubit.
- This is why even a machine with 6,000 physical qubits is still nowhere near the 3,000+ logical qubits required to break RSA.
3. Maintaining Coherence Time
- The time it takes to execute all the steps in Shor’s algorithm for a cryptographically relevant key size is extensive. The qubits must maintain their fragile quantum state (coherence) for the entire duration of the computation.
- Current coherence times are too short and error-prone to allow for the millions or even billions of operations required for a full-scale attack on modern encryption.
4. Hardware Scalability
- Scaling up the current experimental quantum hardware (e.g., superconducting circuits, trapped ions) faces immense engineering and cost challenges.
- Superconducting computers require maintaining temperatures near absolute zero ($0 \text{ K}$ or $-273.15^\circ \text{C}$) in dilution refrigerators. Scaling up these cryogenic systems to house millions of qubits is a monumental task.
- Managing the complex control systems, wiring, and shielding for thousands of interacting qubits exponentially increases the complexity and difficulty.
Prepare for Migration
When quantum-resistant addresses become available—whether through BIP 360 or another proposal—be ready to migrate funds, once there is community consensus. This will likely be a once-in-a-lifetime event for Bitcoin, and stragglers who delay migration may find themselves vulnerable.
For now, upgrading to Taproot addresses should be your standard!
Given Enough Time, This Is An Unavoidable Upgrade
Bitcoin’s quantum resistance problem isn’t whether it needs to be addressed—it’s when and how. BIP 360 is a concrete, technically sound proposal that leverages NIST-standardised post-quantum cryptography to extend Bitcoin’s security into the quantum era, but is it the right solution for right now?
Or do we have a decade or so to refine the proposal?
The tradeoffs are real: larger signatures mean higher fees and reduced throughput. The coordination challenges are immense: migrating 19 million Bitcoin to new address types while some remain in lost or dormant wallets creates unprecedented complexity. The timeline pressure is mounting: quantum computing advances continue, and Bitcoin’s notoriously slow consensus process means starting now barely leaves enough time for orderly transition.
But the alternative—doing nothing and hoping quantum threats remain distant—represents a gamble that Bitcoin cannot afford to take, if you want to claim to be sound money and a secure global payment layer.
As BIP 360 author Hunter Beast states,
“The potential for quantum attack is too serious a threat not to take seriously. Waiting until emergency strikes will not yield optimal results.”
BIP 360 and the broader quantum resistance conversation force Bitcoin to confront a fundamental tension:
Can a decentralised protocol make major changes before a crisis strikes?
Or must Bitcoin wait for actual harm before mobilising consensus?
The answer may determine whether Bitcoin remains secure, decentralised money for generations to come—or becomes a cautionary tale about protocols that couldn’t adapt to foreseeable threats. The quantum clock is ticking, and BIP 360 represents Bitcoin’s best chance to stay ahead of it.
The choice facing Bitcoin is simple: evolve proactively to embrace quantum resistance, or risk catastrophic failure when quantum computers finally break ECDSA.
There is no third option!
For a protocol that aspires to be money for the next century, preparing for quantum threats isn’t paranoia—it’s prudence, and ossification is likely not the right policy for every threat. BIP 360 offers Bitcoin that preparation, and the community must decide whether to seize this opportunity while there’s still time.
