• Home
  • Industry Blog
  • Migration Is the Hard Part

Migration Is the Hard Part

Picture2wolfgang.png
Wolfgang Amadeus VitaleCrypto Protocol Expert
16 Jul 20269 Min

A sufficiently powerful quantum computer running Shor's algorithm could derive private keys from exposed public keys, breaking the elliptic curve cryptography (ECC) that Bitcoin depends on for digital signatures. The preparation window is measured in years, not decades, and the clock is already running. But implementing a solution could prove as challenging as developing one. 

Some cryptographic replacements for ECC exist, are standardized, and are considered safe. That is the good news. The problem is that these standards were not optimized for Bitcoin, and deploying them smoothly requires consensus among thousands of nodes, active participation from millions of holders, and years of coordinated execution on a network designed to resist change.

How large are post-quantum signatures — and what do they mean for Bitcoin's throughput?

The post-quantum signature schemes standardized by the National Institute of Standards and Technology (NIST) to date fall into two cryptographic families: lattice-based and hash-based schemes. Both rely on mathematical problems  that no known quantum algorithm can efficiently solve.  

While both families are also considered safe against classical attacks, hash-based digital signatures are a more conservative choice, as they rely only on the security properties of hash functions, which are already fundamental to Bitcoin design. For this reason, there is rough consensus on preferring hash-based post-quantum cryptography for Bitcoin, at least as a first step. However, the hash-based scheme standardized by NIST (SLH-DSA) produces signatures of approximately 8 kilobytes. A current ECC signature is 64 bytes, making this a roughly 125-fold increase in size. 

If you simply replaced Bitcoin's current signatures with SLH-DSA, the network's throughput would drop from roughly six transactions per second to 0.3 — one transaction every three seconds, for the entire world. This is why the migration cannot be treated as a software update. The NIST standards were designed for general-purpose cryptography, not for blockchains with hard constraints on block space.  

Still, Bitcoin developers are working on optimizations that reduce this penalty. Blockstream's SHRINCS proposal, for example, achieves a 324-byte signature, which is dramatically smaller than the NIST baseline, but still roughly five times larger than what Bitcoin uses today.  

In general, there is no “perfect” replacement for ECC digital signatures: post-quantum digital signatures introduce tradeoffs between size, signing and verification speed, suitability for aggregation, and the strength of the underlying security assumptions.

How long will Bitcoin's migration take — and what happens to coins that cannot move?

Even after consensus emerges on a post-quantum signature scheme suitable for Bitcoin, every holder must actively migrate their coins to a new address type. This is not automatic — every holder must do it themselves. 

Some holders will not be able to — keys get lost, wallets get abandoned, and the coins sitting in those addresses cannot be upgraded without their owner's participation. This raises a question that is both technical and political: should migration remain open-ended, or should the network set a deadline? 

Without a deadline, unmigrated coins remain permanently vulnerable. A sufficiently capable quantum computer could extract the private keys and move the funds. With a deadline, coins that have not migrated become unspendable, effectively frozen – potentially recoverable with further changes to Bitcoin – or permanently burned, depending on how the keys were generated. That protects the network from the impact of "quantum theft", but it destroys access for anyone who missed the window or could not act in time. 

And the throughput constraint makes the timeline genuinely challenging. Even under optimistic assumptions about prioritized and efficient use of blockspace, migrating the full UTXO set would take months. Realistically, coordinating wallets, exchanges, custodians, miners, and individual holders will take years.

The governance dimension

Bitcoin's decentralization is its most fundamental property. Its growth and success as store of value and medium of exchange depends on ever-increasing evidence that no person, institution or coordinated group can unilaterally change the rules of the protocol or confiscate funds. But this is also what makes coordinated protocol changes extraordinarily challenging. The block size debate of 2015–2017 demonstrated how contentious Bitcoin upgrades can be — and that dispute resulted in community splits that are still felt today.  

Post-quantum migration reopens the same fault lines. If larger signatures require larger blocks, the technical question becomes inseparable from the political one. Unlike highly technical questions that have measurable tradeoffs and can be delegated to a smaller group of experts, the question on lost coins has more subjective impact on Bitcoin’s monetary legitimacy, and it is likely to attract strong views across the entire community, potentially even leading to long-lived chain splits. 

Consensus in Bitcoin takes years, and the migration clock only starts after that consensus is reached. A chain split is preferable to paralysis trying to achieve full consensus on migration strategies. The good news is that first steps in the migration process can be taken without forcing a decision on the migration deadline.

Where Bitcoin's post-quantum migration stands today

BIP-360, merged into the official Bitcoin Improvement Proposals repository in February 2026, is likely to be the first concrete step. It introduces a new output type called Pay-to-Merkle-Root (P2MR), structurally similar to Taproot, Bitcoin's most recent major upgrade to how transactions are signed and verified, but which removes the quantum-vulnerable spending path that exposes public keys on~-~chain. This creates the structural foundation for deploying post-quantum signature schemes via a subsequent soft fork, and testnets are already running. 

But BIP-360 is explicitly a first step, not a solution. It does not prescribe which post-quantum signature algorithm Bitcoin should adopt — that decision, with all its tradeoffs, remains open. After BIP-360, at least one additional fork is needed to actually enable signing with a post-quantum scheme. The choice of algorithm and the fee implications of larger signatures are all still ahead, along with the migration mechanics themselves. 

BIP-361, merged as an informational BIP in May 2026, goes further: it proposes a phased sequence of soft forks that would first restrict sending to quantum-vulnerable addresses, then disable spending from them entirely – effectively implementing a migration deadline – and finally enable a recovery path for holders who can prove knowledge of the seed used to generate the keys. The main goal of this proposal is to have a formal basis for discussion on migration strategies, anticipated to be highly contentious.

What this means

The cryptographic tools for taking first steps towards a quantum-resistant Bitcoin exist today. The question is whether the coordination timeline can advance faster than the threat timeline is compressing. Major infrastructure providers and other blockchain protocols are targeting 2029 for their own post-quantum transitions. At this point it is a consensus view that high value assets and systems should be fully post-quantum secure by that time or shortly after.  

The decisions ahead, from which signature algorithm to adopt to whether unmigrated, unrecoverable coins should eventually be burned, will shape Bitcoin for decades. They require broad consensus, and that consensus will be contested. Bitcoin deserves a contested debate, but not an indefinite one: every year spent without a decision reduces the time available for an orderly migration. For Bitcoin to successfully complete its post-quantum migration by early 2030s, the governance process must accelerate.

Related Articles

  • Quantum Research

    How Close Are We? The Quantum Timeline

    When you hold Bitcoin, what you actually own is knowledge of a private key. Elliptic-curve cryptography (ECC) lets you prove you know it without ever revealing it, using a digital signature and a corresponding public key.

    30 Jun 20269 Min
  • Quantum Research

    The Quantum Threat to Bitcoin: What You Need to Know

    The first thing I want to make very, very clear is that a quantum computer is not a faster version of a classical computer. It is a completely different machine. It works with a fundamentally different unit of information.

    16 Jun 20266 Min
  • Quantum Research

    When the Encryption Breaks

    Quantum computing is no longer a thought experiment. For any organization that holds, custodies, or transacts in digital assets, it has become a governance problem that needs to be on the agenda now.

    19 May 20266 Min

Personal Support, Every Step

Our team of native experts are here to provide you with the tools, insights and support you need.

Opening hours

24/7 online

Monday to Friday: 7am to 7pm

contact@bitcoinsuisse.com

0800 800 008

Call us toll-free from Switzerland

+41 41 660 00 00

Call us from abroad