In this article
I work in the crypto self-custody space. Holders rarely ask me whether quantum computers are real anymore. They ask how much time they have, and what happens to their coins when it runs out. Two draft proposals answer both, and neither answer is comfortable.
In February 2026, a group of Bitcoin developers formally proposed freezing roughly 6.9 million BTC, about 34% of the total supply, before quantum computers can steal them. That number includes the 1.1 million BTC attributed to Satoshi Nakamoto, worth roughly $74 billion at current prices.
BIP-360 and BIP-361 now sit in Bitcoin's official BIP repository. If you read our earlier piece on what Google's quantum paper means for holders, you already know the threat timeline has shortened. These two BIPs are Bitcoin's first concrete response, and they have split the community.
TL;DR
BIP-360 introduces quantum-resistant bc1z addresses via a soft fork, using a new Pay-to-Merkle-Root (P2MR) output and the SegWit witness discount to make post-quantum signatures affordable. Without it, a single quantum-safe transaction would cost roughly $200 or more, because post-quantum signatures run about 33x larger than ECDSA. BIP-361 layers a phased migration on top: block new sends to legacy addresses, then freeze any coins that did not migrate, then offer zero-knowledge-proof recovery for BIP-39-derived wallets. Satoshi's estimated 1.1M BTC in P2PK addresses cannot be recovered through that mechanism. The deployment section of BIP-361 was pulled pending agreement on which post-quantum signature scheme to standardize. The community debate centers on whether the freeze step is protection or confiscation. Holders on modern address types (P2WPKH bc1q, P2TR bc1p) with no address reuse are not at-rest vulnerable today. The window before quantum computers can break Bitcoin's current cryptography sits at 3 to 7 years, and a recent research result tightened that estimate downward.
BIP-360 Lays the Cryptographic Foundation
Think of BIP-360 as the construction plan. Hunter Beast, Ethan Heilman, and Isabel Foxen Duke assigned it on December 18, 2024. It defines how Bitcoin can add post-quantum cryptography without breaking the existing protocol.
The authors define a new output type called Pay-to-Merkle-Root (P2MR), built on SegWit version 2 outputs and a fresh address encoding: bc1z (bech32m). You have seen bc1q for SegWit and bc1p for Taproot. This is the next step in the same series.
What P2MR changes. Taproot (BIP-341) lets you spend Bitcoin two ways: a fast keypath spend using your public key directly, or a scriptpath spend using a Merkle tree of scripts. The keypath is efficient and quantum-vulnerable because it exposes the public key. P2MR removes the keypath. Every spend goes through the Merkle root of the script tree. Your public key never appears on-chain during normal use.
The signature scheme is still open. BIP-360 specifies the address format and witness structure. The post-quantum signature scheme is still under selection, with ML-DSA (Dilithium) and SLH-DSA (SPHINCS+) as leading candidates. Both belong to NIST's finalized post-quantum cryptography standards (FIPS 204 and FIPS 205, finalized 2024). ML-DSA is lattice-based and compact. SLH-DSA is hash-based and offers a different security assumption as a conservative fallback.
The authors already dropped one candidate. SQIsign, based on isogeny problems, was shelved after benchmarks clocked it at roughly 15,000x slower than ECC verification. Theoretical elegance helps no one if a full node cannot validate blocks in reasonable time.
The size problem. A post-quantum signature using ML-DSA runs about 2,420 bytes against roughly 72 bytes for standard ECDSA. A 33x increase. Block space is fixed at roughly 4 MB per block, so that jump is structural, not an inconvenience. The authors address it with an optimized witness structure tied to P2MR outputs. The SegWit witness discount, which already cuts signature data fees by 75%, applies to post-quantum signatures under this proposal.
For a deeper look at how Bitcoin's scripting system works and how Taproot laid the groundwork for this, see Technical Deep Dive.
BIP-361 Is the Freeze Proposal That Divided the Community
BIP-361 is the harder conversation. It asks what to do about the coins that cannot be migrated.
Jameson Lopp, Christian Papathanasiou, Ian Smith, Joe Ross, Steve Vaile, and Pierre-Luc Dallaire-Demers co-authored BIP-361, formally assigned on February 11, 2026. The proposal targets 6.9 million BTC sitting in quantum-vulnerable address types, about 34% of the circulating supply.
The breakdown: roughly 1.7 million BTC sits in P2PK addresses, the earliest format Bitcoin used from 2009 to around 2012. These addresses store the public key directly on-chain, leaving them immediately exposed once a sufficiently powerful quantum computer exists. Of that 1.7 million, an estimated 1.1 million BTC is attributed to Satoshi Nakamoto. The remaining 5.2 million sits in other legacy address types with varying degrees of exposure, mostly addresses where the public key has already been revealed through past transactions or address reuse.
The phased plan.
Phase A activates roughly 160,000 blocks (about 3 years) after activation. New Bitcoin can no longer be sent to legacy address types. You can still spend from legacy addresses during this window, but the network stops accepting fresh deposits into them. A one-way door that pushes adoption of bc1z.
Phase B activates roughly 2 years after Phase A, so about 5 years total from activation. Legacy ECDSA and Schnorr signatures are deprecated entirely. Any Bitcoin still in legacy addresses at that point is frozen. You cannot move it using the old signature schemes.
After Phase B, a zero-knowledge proof recovery mechanism activates. If you missed the deadlines but still hold your seed phrase (BIP-39 or later derivation), you can prove ownership of the frozen coins and migrate them to a quantum-safe address. You prove knowledge of a private key without revealing it. The mechanism cannot help coins stored in pre-BIP-39 key formats. Satoshi's coins fall in that bucket.
On deployment timing. Testnet4 signaling parameters in the proposal reference an epoch of 1798761600, which lines up with a January 1, 2027 UTC start time. The deployment section was pulled from the proposal pre-approval, pending community consensus on which post-quantum signature scheme to adopt. The phased structure is specified. The activation parameters are not.
For context on how dormant coins, inheritance planning, and lost access interact with this proposal, see Bitcoin Inheritance.
The Community Split
The opposition to BIP-361 is real and documented. Critics writing in CoinDesk and CCN have called the freeze mechanism "authoritarian and confiscatory," arguing that seizing control of coins that have not been moved, whatever the reason they sit unmoved, crosses a line Bitcoin's property guarantees were designed never to cross. Developer Mark Erhardt amplified the critique on X.
Defenders of BIP-361 argue the opposite. Coins sitting in P2PK addresses are not secure by design. They are secure only because quantum hardware capable of breaking secp256k1 does not yet exist. Leaving 6.9 million BTC exposed preserves no one's property rights. You are simply delaying the question of who ultimately controls those coins, then handing that question to whoever builds the first sufficiently powerful quantum computer.
Neither position is obviously wrong. The published debate makes one thing clear: the freeze step requires coordinated human decision-making about other people's coins, and Bitcoin has historically avoided that. Whether the necessity outweighs the precedent is a question the community is still working through.
Project Eleven Quantified the Threat
The debate stopped being theoretical in April 2026. On April 24, researcher Giancarlo Lelli won a 1 BTC bounty from Project Eleven's Q-Day Prize by demonstrating the largest known quantum attack on elliptic curve cryptography using real quantum hardware.
Lelli broke a 15-bit ECC key on quantum hardware. The result is 512x larger than any prior public demonstration of quantum attacks on elliptic curve cryptography. A 15-bit key is far smaller than the 256-bit keys Bitcoin uses, so the attack does not threaten Bitcoin today. What it shows is that the curve is attackable, that the engineering required to scale is proceeding, and that the gap between laboratory results and cryptographically relevant hardware is closing faster than some timelines assumed.
CoinDesk and The Quantum Insider both covered the result on April 24, 2026. Project Eleven designed the Q-Day Prize to track exactly this progression, using incrementally larger key sizes to measure how quickly quantum hardware is improving against ECC. Lelli's result is the new benchmark.
For a full breakdown of what this class of quantum research means for Bitcoin holders specifically, see our earlier piece on quantum computing and Bitcoin.
What This Costs Without a Soft Fork
State the size problem precisely, because it explains why BIP-360 cannot be skipped.
A post-quantum signature using ML-DSA (Dilithium) is roughly 2,420 bytes. A standard ECDSA signature is roughly 72 bytes. A 33x increase in signature size. Block space is fixed at roughly 4 MB per block, so the increase is structural, not cosmetic.
At current fee rates and without any protocol optimization, a single quantum-safe transaction would cost roughly $200 or more. That makes post-quantum Bitcoin unusable for ordinary transactions. You could secure your savings and burn a significant percentage of any spend in fees.
The authors address this with an optimized witness structure tied to P2MR outputs. The SegWit witness discount applies to post-quantum signatures under this proposal. The longer-term solution involves signature aggregation. Schemes that support aggregation can combine multiple signatures in a block, dropping per-transaction overhead substantially. The mechanics mirror how Schnorr signature aggregation works in current Bitcoin transactions, adapted for post-quantum math. Which scheme enables this most efficiently is part of the ongoing selection.
What Institutional Holders Should Prepare For
You need to do nothing today. Both proposals are at draft stage. Neither has entered the activation process, and Bitcoin's consensus mechanism guarantees years of review, testing, and debate before any change goes live.
The direction is set, though. When consensus forms, custodians and institutional holders will need to plan for key rotation and address migration. You cannot treat this as a passive upgrade. Every UTXO must be moved to a new address type. For institutions holding Bitcoin across thousands of addresses, that is a significant operational undertaking.
Swiss holders should note that FINMA's regulatory framework already references NIST post-quantum cryptography standards. The ML-DSA algorithm in BIP-360's candidate set is part of NIST's FIPS 204 standard, finalized in 2024. The regulatory alignment is already there, even while the Bitcoin-specific implementation stays in draft.
I work in the crypto self-custody space, and the institutional question has already shifted from "if" to "when." Custodial audit requirements and insurance considerations are pushing that conversation forward independent of activation timelines.
For practical guidance on securing your Bitcoin today, regardless of quantum timelines, see the self-custody guide and BIP-39 seed phrase security.
What Bitcoin Holders Should Do Now
The quantum threat is real and not imminent. Here is what matters today.
Check your address types. If your wallet generates addresses starting with bc1q (P2WPKH) or bc1p (P2TR/Taproot), you are using modern formats. They are quantum-vulnerable in theory, but they do not expose your public key until you spend, giving you time to migrate once quantum-safe addresses become available. Coins in very old address formats, especially P2PK from 2009 to 2012, carry higher exposure. See Wallets: Staying Secure for a full breakdown of address types.
Avoid address reuse. Every time you spend from an address, your public key is exposed on-chain. A fresh address for each transaction limits your exposure window. Most modern wallets do this automatically.
Keep your seed phrase secure. If BIP-361 activates and you miss the Phase A and B deadlines, Phase C's zero-knowledge recovery depends entirely on your ability to prove you hold the original seed phrase. Lose the phrase and those coins are frozen permanently. That holds regardless of quantum computing. Your seed phrase is your last line of defense in every scenario.
Stay informed, not alarmed. McKinsey estimates quantum attacks become viable between 2027 and 2030. Google's internal quantum migration target is 2029. The Bitcoin development community is moving. Project Eleven's Q-Day Prize actively tracks how quickly ECC attacks scale on real hardware. You measure the timeline in years, and years pass quickly when migration demands active steps from every holder.
For more on address privacy and reducing on-chain exposure, see Bitcoin Privacy.
References
- BIP-360 Draft: Hunter Beast, Ethan Heilman, Isabel Foxen Duke. "Pay to Merkle Root." Bitcoin Improvement Proposals. Assigned December 18, 2024. bip360.org
- BIP-361 Draft: Jameson Lopp, Christian Papathanasiou, Ian Smith, Joe Ross, Steve Vaile, Pierre-Luc Dallaire-Demers. "Legacy Signature Sunset." Formally assigned February 11, 2026. bip361.org
- arXiv:2603.28846: Babbush et al. "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities." March 2026.
- NIST Post-Quantum Cryptography Standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA/Dilithium), FIPS 205 (SLH-DSA/SPHINCS+). Finalized 2024. csrc.nist.gov
- Project Eleven Q-Day Prize: Giancarlo Lelli, 1 BTC bounty for 15-bit ECC attack on quantum hardware. April 24, 2026. The Quantum Insider
- CoinDesk, April 15, 2026: "Bitcoin Developers Are Trying to Build Quantum Defenses. Your Coins Could Pay the Price." coindesk.com
- CoinDesk, April 24, 2026: "Researcher Wins 1 Bitcoin Bounty for Largest Quantum Attack on Underlying Tech." coindesk.com
- CCN: "Bitcoin Devs BIP-361: Quantum-Proof Bitcoin or Coin Freeze?" ccn.com
- McKinsey and Company: Quantum computing viability estimates, 2027–2030 window.
What's Next
This article covered what Bitcoin developers are building. For the underlying threat, how Google's paper changed the math, and what it means for your specific wallet, read Quantum Computing and Bitcoin: What Holders Must Know.
To understand the technical foundations that make these proposals possible, start with Technical Deep Dive. For practical steps on securing your Bitcoin today, see Wallets: Staying Secure.
