Bitcoin Takes First Steps Toward Post-Quantum Resistance

Progress in quantum computing is a threat to protocols relying on elliptic curve cryptography. Bitcoin relies on elliptic curves for digital signatures (ECDSA). One relies on ECDSA to prove ownership of their coins. Breaking ECDSA means breaking Bitcoin's property rights. This is known and acknowledged since the early days of Bitcoin, but it was hardly seen as an urgent issue due to how far quantum computing technology was, in practice, from reaching threatening levels of scale. We predict this is going to change soon. 

By the end of 2026 there will be social consensus on upgrading Bitcoin towards post-quantum resistance, formalizing plans for a soft fork. The fork will likely include either BIP-360 (P2QRH: Pay to Quantum Resistant Hash) or Pay to Taproot Hash (P2TRH). 

Currently, 6.7M BTC (worth $600B) are vulnerable to a cryptographically relevant quantum computer (CRQC), either because stored in unsafe UTXO types or because of address reuse. We define CRQC as a device capable to run Shor’s algorithm at a scale sufficient to break ECDSA, extracting private keys from exposed public keys. The fork will facilitate the migration of vulnerable coins to quantum-resistant output types. 

Quantum readiness is the most complex upgrade in Bitcoin’s history. In addition to technical topics (e.g. on post-quantum signature schemes), it requires consensus on social and economic questions on migration logistics and “lost coin” management. 

Owners of BTC vulnerable to CRQCs can already migrate them to a safe address type. The problem is that some of them lost their private keys, leaving their BTC available to CRQCs. It is believed that most of the 1.7M BTC stored in unsafe P2PK outputs is lost, including Satoshi’s coins.  

The impact of Satoshi’s 1 million BTC being available as a “quantum bounty” sparked discussions on whether unmigrated coins should be “burned” (made unspendable after a deadline), “recycled” (burning and re-issuing a corresponding amount e.g. for extending miner subsidy) or left available to CRQCs. 

Due to the complexity of this upgrade, it is likely to be split in multiple soft forks. BIP-360 is a good candidate for the first fork, as it accelerates quantum readiness while keeping options open on post-quantum signature schemes, migration logistics and lost coin management. In addition, like P2TRH, it addresses the quantum vulnerability of Taproot, and it reuses most of its code. 

Still, it will be challenging to find an agreement by next year. Bitcoin naturally tends to ossify, and no fork comes for free. We believe that further progress on CRQCs will help triggering a risk mitigation strategy.  

Bitcoin supply vulnerable to Shor’s algorithm

Depending on Bitcoin development 

We are moving on from the noisy era of quantum computing to a path towards fault tolerance. Investment in quantum computing keeps accelerating. Multiple companies demonstrated break-even quantum error correction, providing a basis for their ambitious roadmaps towards CRQCs. Importantly, there is effort on different physical qubit technologies and fault-tolerant schemes. If one approach to scaling will find unexpected roadblocks, others will still have opportunity to succeed.  

At this point, the main question is not if, but when we will see devices with hundreds of logical qubits and logical error rate low enough for running deep circuits (millions of gates). Companies with good clarity of disclosure and track records align their roadmaps around 2029-2030 for this milestone. Even though that would still be insufficient to break ECDSA, Bitcoin can’t afford to arrive at that point unprepared. Agreeing on a migration strategy will take time. The migration itself, limited by Bitcoin’s throughput, will require at least one year, ideally multiple years if it is decided to burn unmigrated coins. We cannot afford to wait for public evidence of aggressive scaling in logical qubit circuits to start taking any action, as that will inevitably lead to panic, rushed decisions and contentious chain splits with confusion in the market dealing with multiple versions of BTC. Agreeing on BIP-360 by next year will reduce the decision load on the migration and act as a strong signal that Bitcoin can react and evolve when challenged at its core.  

We don’t expect the progress in quantum computing to have a strong effect on BTC during 2026, even when fuelled by aggressive roadmap updates towards CRQCs, but it could be taken as an opportunity from other chains further ahead in their post-quantum roadmap. Bitcoin does not need rushed decisions, Bitcoin does not need to compete with other chains, but it is time to acknowledge the clock is ticking, and Bitcoin deserves a plan.

The article above is part of our Outlook 2026 and was first released in December 2025.