Key Takeaways:
Bitcoin developers published the network's first quantum-resistant address proposal, kicking off a years-long migration that could freeze Satoshi Nakamoto's 1 million coins.
Bitcoin developers introduced BIP-360 on Feb. 11, the network's first quantum-resistant address type, as the timeline for a cryptographically relevant quantum computer narrowed to as soon as 2030. Roughly 6.8 million BTC, or 32% of all coins ever mined, sit in addresses with public keys already exposed on-chain, according to Project Eleven, a research group tracking the quantum threat.
"The migration takes years, the vulnerable supply is enormous, and starting late could be catastrophic," Justin Drake, a researcher at the Ethereum Foundation and co-author of Google's March 2026 quantum paper, said. Drake now places 50% odds on Q-Day — the moment a quantum computer breaks live blockchain cryptography — by 2032, with a 10% chance as early as 2030.
Google's Quantum AI team published research on March 31 showing a 10-fold improvement in cracking secp256k1, the elliptic curve securing every Bitcoin transaction. The attack could require fewer than 1,200 logical qubits, down from a prior estimate of 9 million physical qubits, with runtimes under nine minutes on a future machine, the paper showed. An 18-year-old researcher using an AI agent swarm independently reached 80% of Google's unpublished breakthrough over a weekend, according to Sreeram Kannan, founder of EigenLayer.
The proposals force Bitcoin's most consequential choice since its creation: whether to freeze roughly 1.7 million BTC in ancient addresses — including Satoshi Nakamoto's estimated 1 million coins — to prevent a future quantum heist, or uphold the principle that no coins should ever be frozen by the network.
How BIP-360 and BIP-361 Work
BIP-360 introduces a new output type called Pay-to-Quantum-Resistant-Hash, or P2QRH, that replaces elliptic-curve signatures with NIST-approved post-quantum algorithms such as ML-DSA. New addresses begin with the prefix "bc1r," and spending from them requires post-quantum signatures rather than the quantum-vulnerable ECDSA or Schnorr signatures used today. The upgrade deploys as a soft fork, meaning legacy nodes treat the new outputs as anyone-can-spend while upgraded nodes validate them correctly.
The trade-off is size. Post-quantum signatures from schemes like SLH-DSA can reach 8 kilobytes, far larger than current signatures, which would consume more block space and could push fees higher unless miners offer a witness discount. BIP-360 is designed as a minimal first step — it protects newly created coins and those whose holders choose to migrate, while leaving the harder engineering problems to future work.
BIP-361, published April 14, tackles the exposed legacy supply. It proposes a deadline by which holders of vulnerable coins must migrate to quantum-resistant addresses, after which the network would stop honoring spends from old signature types. The mechanism would freeze coins that cannot migrate — including the estimated 1.7 million BTC in ancient Pay-to-Public-Key addresses, roughly 1 million of which are widely believed to belong to Satoshi Nakamoto.
The Debate Over Frozen Coins
The freeze question pits two foundational Bitcoin principles against each other. One holds that the network must never confiscate or freeze coins, a tenet embedded in Bitcoin's credibility since its inception. The other argues that allowing a quantum attacker to sweep 6.9 million BTC and dump them on the market would destroy confidence far more decisively than a preemptive freeze.
"Freezing coins, even to protect them, violates the property-rights absolutism that many Bitcoiners hold sacred," the BIP-361 authors wrote, acknowledging the tension. Supporters counter that doing nothing guarantees those coins will eventually be stolen — a more chaotic form of loss.
Ethereum has committed to a 2029 post-quantum migration target, while the U.S. government's NIST deadline for transitioning off quantum-vulnerable cryptography is 2035. Drake dismissed that timeline as "a joke." Charles Guillemet, chief technology officer at Ledger, said most organizations have not even started a cryptographic inventory.
For ordinary holders, the immediate step is simple: stop reusing Bitcoin addresses. Any address from which coins have already been spent has an exposed public key permanently on-chain. When BIP-360 addresses become widely available, holders can migrate to the new "bc1r" format for full protection.
No quantum computer capable of breaking Bitcoin's cryptography exists today. But as Guillemet put it: "In security, the moment you start doubting the foundation is the moment you start rebuilding it. Not the moment you panic. The moment you plan."
This article is for informational purposes only and does not constitute investment advice.
