In March 2026, Google’s Quantum AI team published a 57-page whitepaper that redrew the threat map for every blockchain on Earth. The core finding: breaking the 256-bit elliptic curve cryptography that secures Bitcoin and Ethereum could require fewer than 500,000 physical qubits; roughly a 20x reduction from the team’s own 2019 estimate. On a future superconducting machine, the attack could finish in approximately nine minutes, fast enough to intercept a transaction before it confirms in a single block.
That same month, Google opened its Willow Early Access Program, giving select research partners hands-on time with its 105-qubit processor — a chip that can complete a benchmark computation in under five minutes that would take a classical supercomputer roughly 10 septillion years. Willow is not a threat to Bitcoin today, but it sits at Milestone 2 on a roadmap whose endpoint is a million-qubit, fault-tolerant system.
Meanwhile, the regulatory clock is ticking independently of the hardware. The National Institute of Standards and Technology (NIST), under its IR 8547 transition plan, has mandated that all quantum-vulnerable algorithms — including ECDSA, the very scheme Bitcoin uses — must be deprecated by 2030 and completely disallowed by 2035. Google has set its own internal post-quantum migration deadline for 2029.
Bitcoin’s developers are not ignoring the signal. Two draft proposals — BIP-360, published in February 2026, and BIP-361, merged into the official Bitcoin BIPs repository in April 2026 — represent the first concrete technical roadmap to quantum-harden the network. Together, they chart a phased, multi-year migration that touches every wallet, every exchange, and every UTXO on the chain. But the engineering challenge is immense, and the timeline stretches five to seven years from the date consensus forms — a race against physics that Bitcoin has never had to run before.
Also Read: What is ‘Q-Day’? The Quantum Deadline for the Crypto Industry to Upgrade
BIP-360: The Architecture of Pay-to-Merkle-Root
To understand what BIP-360 fixes, you first need to understand what Taproot accidentally exposed.
When Bitcoin activated Taproot (P2TR) in November 2021, it introduced a powerful upgrade that bundled complex smart contract logic into a single, efficient transaction format. But the standard spending path — the “key-path spend” — places the user’s public key directly on the blockchain in plaintext. For classical computers, that is no problem; reversing an elliptic curve public key to derive its private key is computationally infeasible. For a sufficiently powerful quantum computer running Shor’s algorithm, it is a matter of minutes.
As of March 1, 2026, on-chain data cited directly in BIP-361 shows that more than 34% of all bitcoins — roughly 6.5 to 6.9 million Bitcoin (BTC) — have their public keys exposed on the blockchain. That includes approximately 1.7 million BTC in early Pay-to-Public-Key (P2PK) addresses, a significant portion of which is widely believed to belong to Bitcoin’s creator Satoshi Nakamoto.
BIP-360, authored by Hunter Beast (MARA Protocol), Ethan Heilman, and Isabel Foxen Duke, addresses this by introducing Pay-to-Merkle-Root (P2MR) — a new output type that uses SegWit version 2 and gives wallets a new address prefix starting with bc1z.
Think of Taproot as a locked safe where one key hangs on a hook outside the door. Convenient, but visible to anyone walking past. P2MR removes the hook entirely. It commits directly to the Merkle root of a script tree, completely hiding the public key from the ledger until the exact moment a specific script branch is executed and spent. The script tree itself preserves all of Taproot’s flexibility — multi-signature schemes, time-locks, and complex spending conditions — but without ever broadcasting the raw public key to the public chain.
BTQ Technologies deployed the first functional implementation of BIP-360 on its Bitcoin Quantum testnet (v0.3.0) in March 2026, with all five Dilithium post-quantum signature opcodes enabled in the P2MR tapscript context. Over 50 miners have joined the network, and more than 100,000 blocks have been mined, proving the concept works in a live testing environment.
BIP-361: The Three-Phase Legacy Sunset
BIP-360 builds the defensive infrastructure. BIP-361, authored by Jameson Lopp (Casa), Christian Papathanasiou, Ian Smith, Joe Ross, Steve Vaile, and Pierre-Luc Dallaire-Demers, acts as the enforcement arm — a phased plan to sunset legacy cryptography across the entire network.
The proposal was published to GitHub on April 14, 2026, and pinned by Bitcoin BIPs editor Murch (Mark Erhardt) the following day. It lays out three distinct phases, each triggered by block height rather than calendar date:
Phase A: The Voluntary Buffer (Activation to ~Year 3)
For the first 160,000 blocks after activation (roughly three years), nothing changes for existing addresses. Nodes upgrade via a soft fork, and users can begin creating new P2MR addresses and migrating funds out of older formats: P2PK, P2PKH, P2SH, and standard Taproot (P2TR). The network incentivizes migration, but does not force it.
Phase B: The Deposit Ban (~Year 3 to ~Year 5)
At the Phase A deadline, the network enforces a protocol-level rule: no new Bitcoin can be sent to legacy, quantum-vulnerable address formats. Users can still spend out of those addresses to clear them, but the inbound door is shut. This creates a one-way migration pressure that accelerates the transition without immediately locking anyone out.
Phase C: Full Signature Invalidation (~Year 5 Onward)
This is the phase drawing the most fire. At a predetermined block height, consensus nodes formally reject any transaction relying solely on legacy ECDSA or Schnorr signatures. Any Bitcoin remaining in those vulnerable addresses is effectively frozen; the mempool will not accept attempts to move them. Lopp himself has said he dislikes the idea but considers the alternative — mass quantum theft — far worse.
The BIP’s authors cite Satoshi Nakamoto’s own logic, but invert it for the quantum era. Satoshi once noted that lost coins simply make the remaining supply more valuable. The BIP-361 authors argue that coins stolen by a quantum computer would devalue every other bitcoin — making a temporary freeze the lesser evil.
Also Read: BIP 361’s Post-Quantum Migration Plan Sparks Debate Over Bitcoin Freezing
The Escape Hatch: Zero-Knowledge Recovery
The most immediate objection to the freeze is obvious: what happens to users who are inactive, incapacitated, or simply unaware of the migration deadline? Under Phase C, their keys are useless, and their coins are locked.
BIP-361 acknowledges this with a proposed Phase C recovery mechanism — though the authors and reviewers are careful to note it remains under active research and does not yet exist in working form.
The concept relies on zero-knowledge (ZK) proofs. A user would construct a cryptographic proof demonstrating they hold the valid BIP-39 seed phrase behind the frozen wallet, without ever revealing the seed or the raw public key to the public mempool. If the proof checks out, the network releases the funds directly to a fresh bc1z (P2MR) address.
Lightning Labs CTO Olaoluwa “Roasbeef” Osuntokun has already released a working zk-STARK prototype that demonstrates this concept — proving seed ownership derived from a BIP-32/BIP-86 hierarchy without exposing any private key material. It is a proof of concept, not production software, but it establishes the technical pathway.
However, the mechanism has a structural blind spot. Cardano Founder Charles Hoskinson publicly argued that the ZK recovery scheme cannot rescue the approximately 1.7 million BTC locked in addresses predating 2013 — coins that were created before BIP-32 (hierarchical deterministic wallets) and BIP-39 (mnemonic seed phrases) even existed. The BIP-361 text itself concedes this limitation, stating it is “not possible to construct a proof of HD wallet ownership for UTXOs created before BIP-32 existed.”
GitHub reviewer Conduition called Phase C “the most critical component of any confiscatory freeze proposal” and argued the BIP is incomplete without a fully developed recovery path.
The Break-Glass Alternative: Forkless Brute Force
The intense debate over BIP-360 and BIP-361 underscores a harsh reality: changing Bitcoin’s core protocol requires a massive consensus that may not form in time. But what if “Q-Day” arrives and the network hasn’t upgraded?
In April 2026, StarkWare Chief Product Officer Avihu Levy introduced an intriguing alternative called Quantum-Safe Bitcoin (QSB). Built on earlier cryptographic concepts like Robin Linus’s Binohash, QSB is a “prophylactic” transaction scheme that works entirely within Bitcoin’s existing legacy script rules. It requires absolutely no soft fork, no new opcodes, and zero network-wide governance approval.
To bypass the vulnerable elliptic-curve cryptography (ECDSA/Schnorr) that Shor’s algorithm can crack, QSB relies entirely on the pre-image resistance of the legacy RIPEMD-160 hash function—a mathematical primitive that quantum computers cannot meaningfully accelerate. It replaces standard digital signatures with an off-chain “hash-to-signature” puzzle.
However, achieving quantum security without a network upgrade requires a devastating trade-off in computational density and economics:
- The GPU Grinding Cost: To construct a single valid QSB transaction, a user’s local machine must execute roughly 70 trillion brute-force hashing attempts off-chain.
- The Financial Toll: StarkWare’s real-world testing required hours of parallel cloud computing across multiple GPUs, translating to an estimated $75 to $200 in raw computing costs per single transaction.
- The Usability Wall: Because these transactions are dense, complex, and push Bitcoin’s legacy limits (exactly 201 non-push opcodes), they are fundamentally incompatible with layer-2 scaling like the Lightning Network and would likely be rejected by standard mempool relay policies, forcing users to submit them directly to mining pools.
Levy himself openly labels QSB a “last-resort measure.” It functions effectively as an emergency bunker: if a surprise quantum threat emerges tomorrow, whale wallets can pay hundreds of dollars to lock their funds inside a hash-vessel. But as an ecosystem-wide payment network, QSB’s high friction proves why a proactive, protocol-level migration like BIP-360/361 is the only viable path forward for the broader market.
The Engineering Bottleneck: Why This Takes Seven Years
If the threat is clear and the architecture is designed, why can’t Bitcoin just flip the switch?
The answer lies in a brutal mathematical tradeoff: post-quantum signatures are enormous.
A standard Schnorr signature, the kind Bitcoin uses today via Taproot, is roughly 64 bytes; tiny and hyper-efficient. The post-quantum algorithms under review tell a different story entirely. FALCON-512, one of the more compact lattice-based options, produces signatures around 690 bytes. CRYSTALS-Dilithium (ML-DSA-44), the NIST-standardized lattice scheme, runs to approximately 2,420 bytes per signature. And SPHINCS+ (SLH-DSA), the conservative hash-based fallback, balloons to roughly 7,856 bytes — a 125x increase over Schnorr.
The network impact is immediate and severe. Bitcoin blocks have a theoretical maximum weight of 4 megabytes and a realistic effective ceiling closer to 2 megabytes. If every transaction on the network switched to even the most compact post-quantum signature tomorrow, block space would fill up almost instantly. Transaction fees would skyrocket. Throughput would degrade. The network’s capacity to process payments would drop dramatically.
This is not a theoretical concern; it is the central engineering constraint driving the entire multi-year timeline. Developers need time to test signature compression techniques, evaluate witness stack discounts (the SegWit framework that already gives signature data a 75% weight reduction), and determine which algorithm or hybrid combination balances security, size, and verification speed. BIP-360’s architecture is deliberately algorithm-agnostic for this reason: it builds the structural container (P2MR) now, and lets the community settle the signature question over the coming years.
BIP-360 co-author Hunter Beast has estimated a full Bitcoin migration to quantum resilience would take seven years from the day consensus forms. For context, SegWit took approximately 8.5 years from conception to adoption. Taproot took 7.5 years.
A Pragmatic, Low-Time-Preference Evolution
BIP-360 and BIP-361 are not a panic response. They are a calculated, slow-rolling cryptographic migration. The kind of deliberate, measure-twice-cut-once engineering that has defined Bitcoin’s development philosophy since its earliest days.
The proposals are still drafts. The deployment section of BIP-361 was pulled before final approval; Lopp confirmed on GitHub that the preconditions for deployment have not been met — a consensus-backed post-quantum signature scheme must come first.
But the roadmap is now concrete, public, and under active review. The quantum testnet is live. The ZK recovery prototype exists. The signature research is advancing across lattice-based, hash-based, and hybrid approaches. And the broader ecosystem, right from NIST’s 2035 deadline to Google’s 2029 internal target, is moving in the same direction.
The question is no longer whether Bitcoin needs a post-quantum upgrade. It is whether the network can complete one of the most complex cryptographic migrations in the history of finance before the physics catches up.
Also Read: How the Top Blockchains Are Racing to Survive Q-Day
