Bitcoin's Proposed Quantum-Resistant Migration Plan

As cryptographically relevant quantum computers inch closer to reality, Bitcoin developers have unveiled an ambitious roadmap to secure the world’s largest cryptocurrency against an existential threat.

The Ticking Clock

In July 2025, a coalition of cryptography and blockchain experts—including Casa co-founder Jameson Lopp and BitcoinQS founder Christian Papathanasiou—published a draft Bitcoin Improvement Proposal (BIP) that could represent the most significant protocol upgrade in Bitcoin’s history. Titled “Post Quantum Migration and Legacy Signature Sunset,” the proposal outlines a structured plan to phase out Bitcoin’s current quantum-vulnerable cryptographic signatures before it’s too late.

The timing isn’t coincidental. Academic forecasts suggest cryptographically relevant quantum computers could emerge as early as 2027 to 2030, according to McKinsey research. Meanwhile, quantum algorithms are improving at an alarming rate—up to 20x faster than hardware advances alone—steadily narrowing what researchers call the “envelope of safety.”

Understanding the Vulnerability

Bitcoin’s security currently rests on two pillars: the SHA-256 hash function and Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr signatures. While SHA-256 remains relatively resilient against quantum threats, ECDSA and Schnorr signatures face an existential problem.

Shor’s algorithm, when run on a sufficiently powerful quantum computer, could derive private keys from public keys in polynomial time—effectively rendering current Bitcoin cryptography meaningless. The critical vulnerability lies in the roughly 25% of all Bitcoin (approximately 6-7 million BTC worth hundreds of billions of dollars) held in addresses where public keys have already been exposed on-chain.

These exposed addresses include:

• Early Bitcoin holdings using the Pay-to-Public-Key (P2PK) format, including Satoshi Nakamoto’s estimated 1.1 million BTC

• Reused addresses where public keys were revealed during previous transactions

• Institutional and exchange wallets that frequently reuse addresses for operational convenience

The Three-Phase Migration Roadmap

The proposed BIP introduces a carefully staged transition designed to give the ecosystem ample preparation time while establishing firm deadlines:

Phase A: Blocking New Vulnerable Addresses (Year 3 after activation)

Beginning three years after the BIP’s activation, the network would block all new transactions to legacy ECDSA/Schnorr addresses. Users would be directed to migrate their funds to quantum-resistant P2QRH (Pay-to-Quantum-Resistant-Hash) addresses. This creates a clear signal that the transition is underway while preserving existing functionality.

Phase B: Legacy Signature Sunset (Year 5 after activation)

The more dramatic phase arrives two years later: all nodes would reject transactions signed using ECDSA or Schnorr, effectively rendering legacy outputs unspendable at the consensus layer. This “flag day” approach, while aggressive, creates the certainty the authors believe is necessary for coordinated action.

Phase C: Optional Recovery Mechanism (Future)

Recognizing that some users may miss the deadline—particularly holders of lost or forgotten wallets—the proposal contemplates a potential hard fork allowing recovery through zero-knowledge proofs of BIP-39 seed phrase possession. However, this phase remains under research and is not guaranteed.

The “Silent Collapse” Scenario

Perhaps the most sobering warning comes from cybersecurity expert David Carvalho, CEO of Naoris Protocol, who has framed the quantum threat not as a dramatic, Hollywood-style attack but as something far more insidious: a “silent collapse.”

In Carvalho’s analysis, the convergence of quantum computing and artificial intelligence could enable attacks that don’t manifest as obvious breaches. Instead, AI-driven quantum attacks could automatically probe for vulnerabilities, simulate network behavior, and adapt tactics in real-time while quantum machines quietly derive private keys in the background.

The result wouldn’t be a livestreamed cracking algorithm but rather a slow erosion of trust—missing transactions here, funds inexplicably redirected there, governance votes quietly subverted—until confidence in the network fundamentally fractures.

This threat is compounded by the “harvest now, decrypt later” strategy already underway. State-sponsored actors and cybercriminal organizations are reportedly collecting encrypted blockchain data today, stockpiling it for future decryption once quantum capabilities mature.

The Regulatory Alignment

The Bitcoin community’s migration timeline deliberately aligns with broader governmental mandates for post-quantum cryptography:

NIST Guidelines (November 2024):

• RSA, ECDSA, and related algorithms deprecated by 2030

• Complete disallowance by 2035

• First PQC standards (ML-KEM, ML-DSA, SLH-DSA) released in August 2024

NSA CNSA 2.0 Requirements:

• Software and firmware signing must use PQC exclusively by 2030

• Traditional networking equipment (VPNs, routers) must comply by 2030

• Web browsers and cloud services by 2033

• Full transition for National Security Systems by 2035

The U.S. government has projected a $7.1 billion budget for migrating federal systems to quantum-safe cryptography, with private-sector costs expected to reach tens of billions. More than 20 billion digital devices globally may require upgrades over the next two decades.

Technical Challenges Ahead

The transition faces substantial technical hurdles that the Bitcoin community must address:

Signature Size Explosion: Post-quantum signatures are dramatically larger than their classical counterparts. CRYSTALS-Dilithium signatures run approximately 2,420 bytes compared to ECDSA’s 72 bytes or Schnorr’s 64 bytes. SPHINCS+ signatures can reach 29,000 bytes or more. This could reduce transaction throughput by a factor of 40 or more, creating significant scalability concerns.

Coordination Complexity: Bitcoin’s decentralized nature—its greatest strength—becomes a coordination challenge during protocol upgrades. The proposal’s authors acknowledge this openly: “The longer we postpone migration, the harder it becomes to coordinate.”

Backward Compatibility: The proposal intentionally uses soft forks rather than hard forks where possible, allowing gradual deployment without disrupting current nodes. However, fully integrating NIST-approved algorithms like CRYSTALS-Dilithium may ultimately require harder changes to the protocol.

Industry Alignment: Wallets, exchanges, hardware vendors, and custodians must all update their infrastructure. The clear, time-boxed deadline aims to create the certainty needed to motivate these stakeholders.

The Stakes

The authors of the BIP are blunt about what’s at risk: “Never before has Bitcoin faced a truly existential threat to its cryptographic primitives. A successful quantum attack on Bitcoin would result in significant economic disruption and damage across the entire ecosystem.”

Even if Bitcoin isn’t the primary target of the first cryptographically relevant quantum computer, widespread knowledge that such a machine exists would devastate confidence in the network. As the proposal notes, an attack may not even be economically motivated—a state actor could seek to destroy value and trust rather than extract it.

The proposal also addresses what happens to coins that never migrate. Bitcoin held in addresses that fail to transition would become permanently unspendable—a controversial but intentional design choice that echoes Satoshi Nakamoto’s original vision for lost coins serving as a slight supply reduction benefit to all other holders.

The Path Forward

The Bitcoin community now faces what may be one of its most significant debates since the block size wars. The proposal remains in draft form without a formal BIP number or activation method, but it sets the stage for critical decisions.

Several interim measures are already under development:

• BIP-360 proposes P2QRH addresses as a “pragmatic first step”

• Hybrid solutions using dual ECDSA/post-quantum signatures for transition compatibility

• Address diversification strategies (El Salvador has reportedly split its 6,284 BTC across 14 different wallets)

• Zero-knowledge proof systems like StarkWare’s STARKs offering inherent quantum resistance

Major financial institutions are taking notice. BlackRock added quantum computing as a critical risk warning to their Bitcoin ETF filing in 2025, noting that quantum advances could “undermine the viability” of cryptographic algorithms across the entire global tech stack.

Conclusion

The quantum threat to Bitcoin represents a peculiar kind of emergency—one that feels distant and abstract until suddenly it isn’t. The community has perhaps five to ten years to execute what would be the largest protocol upgrade in cryptocurrency history, affecting trillions of dollars in value and forcing changes across the entire ecosystem.

As the BIP authors warn: the cost of inaction could be the loss of billions in value and trust built over 16 years. The quantum clock is ticking, and the Bitcoin community must decide whether to act decisively now or risk a potentially catastrophic “silent collapse” later.

The choice, as always in Bitcoin’s decentralized world, ultimately belongs to the community.

References

1. Bitcoin Improvement Proposal - Post Quantum Migration and Legacy Signature Sunset
   QBIP.org
   

https://qbip.org/

1. Bitcoin BIP proposes quantum-resistant upgrade by 2030
   Cointelegraph, July 16, 2025
   https://cointelegraph.com/news/bitcoin-quantum-computing-threat-bip-post-quantum-migration

2. Bitcoin and Quantum Computing: Current Status and Future Directions
   Chaincode Labs Research Paper
   https://chaincode.com/bitcoin-post-quantum.pdf

3. Quantum Threat to Bitcoin: Silent Collapse and Post-Quantum Defense
   Cointelegraph, August 2025
   https://cointelegraph.com/explained/why-a-hacker-turned-ceo-believes-quantum-tech-could-break-bitcoin

4. Bitcoin’s quantum countdown has already begun, Naoris CEO says
   Cointelegraph, July 21, 2025
   https://cointelegraph.com/news/bitcoin-quantum-countdown-has-begun-naoris-ceo

5. NSA sets 2035 deadline for adoption of post-quantum cryptography across national security systems
   FedScoop, September 2022
   https://fedscoop.com/nsa-sets-2035-deadline-for-adoption-of-post-quantum-cryptography-across-natsec-systems/

6. NIST IR 8547: Transition to Post-Quantum Cryptography Standards
   National Institute of Standards and Technology
   https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

7. NIST’s Urgent Call: Deprecating Traditional Crypto by 2030
   Entrust, December 2024
   https://www.entrust.com/blog/2024/12/nists-urgent-call-deprecating-traditional-crypto-by-2030

8. Bitcoin Developers Propose Retirement Plan for Quantum-Vulnerable Addresses
   The Currency Analytics, July 17, 2025
   https://thecurrencyanalytics.com/bitcoin/bitcoin-developers-propose-retirement-plan-for-quantum-vulnerable-addresses-185712

9. Is Crypto Ready for Q-Day?
   CoinDesk Opinion, July 1, 2025
   https://www.coindesk.com/opinion/2025/07/01/is-crypto-ready-for-q-day

10. The Quantum Threat to Bitcoin: How AI Accelerates and Explains Q-Day
    SwissCognitive, December 2025
    https://swisscognitive.ch/2025/12/30/the-quantum-threat-to-bitcoin-how-ai-accelerates-and-explains-q-day/

11. Quantum computing threat is already here: Naoris Protocol
    Crypto.news, October 2025
    https://crypto.news/interview-quantum-computing-threat-is-already-here-naoris-protocol-ceo/

12. Bitcoin Optech: Quantum Resistance
    Bitcoin Optech
    https://bitcoinops.org/en/topics/quantum-resistance/

13. Proposal for Quantum-Resistant Address Migration Protocol (QRAMP) BIP
    Bitcoin Development Mailing List
    https://groups.google.com/g/bitcoindev/c/8PM6iZCeDMc