Viewpoint: The Bitcoin Community Is Converging on a Quantum-Threat Roadmap — And It Points to a Post-Quantum Soft-Fork Era
Viewpoint: The Bitcoin Community Is Converging on a Quantum-Threat Roadmap — And It Points to a Post-Quantum Soft-Fork Era
Quantum computing has lived for years in Bitcoin’s “interesting, but far away” bucket. That bucket is getting smaller.
What’s changing in 2026 is not that quantum machines can suddenly break Bitcoin today, but that the community conversation is shifting from scattered debate toward an actionable upgrade path: introduce post-quantum cryptography (PQC) gradually, via soft forks, while creating a long migration runway for users and businesses to move funds into quantum-resistant address types. A detailed overview of current proposals and timelines is captured in this recent research note from Galaxy Research on Bitcoin’s quantum readiness.
Below is a practical, ecosystem-focused view of the emerging consensus, why it matters for holders, and what “quantum-proofing Bitcoin” likely looks like in the real world.
1) Why quantum risk is turning from “black swan” to engineering backlog
Bitcoin has upgraded before under uncertainty: from SegWit to Taproot, from legacy script patterns to more expressive primitives, from a niche experiment to critical infrastructure.
Quantum risk is now being treated similarly—less as a single doomsday moment and more as a multi-year migration problem with two characteristics:
- Coordination takes years in a decentralized system (wallets, exchanges, custodians, miners, node operators, and users).
- Cryptography transitions are already happening outside crypto, especially after PQC standards stabilized.
In particular, NIST’s publication of PQ standards gives the broader security industry a concrete foundation to build on. For signatures, NIST FIPS 204 (ML-DSA, derived from CRYSTALS-Dilithium) is now a widely referenced baseline, and the broader context is summarized in NIST’s announcement on finalized post-quantum standards.
This matters for Bitcoin because “we’ll pick a PQ signature later” is no longer a satisfying answer. The industry is standardizing now, and Bitcoin’s long-term credibility as a store of value increasingly depends on having a credible roadmap.
2) What quantum computing threatens in Bitcoin (and what it doesn’t)
Bitcoin’s core risk is signature forgery, not mining collapse.
- Threatened: Elliptic-curve signatures (ECDSA and Schnorr) rely on the hardness of the discrete log problem. A sufficiently powerful fault-tolerant quantum computer running Shor’s algorithm could, in principle, derive a private key from a known public key. See Shor’s original work, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer”.
- More resilient (relative): Hash functions like SHA-256 don’t fall to Shor in the same way. They face a different class of quantum speedups (often discussed via Grover), which changes security margins rather than enabling the same “recover private key from public key” attack described above. Galaxy’s report provides a clear Bitcoin-specific breakdown of these distinctions in its technical sections: Bitcoin Is Rising to the Challenge of Quantum Readiness.
So the quantum story is mostly about when public keys are exposed, and how quickly an attacker could act once exposure occurs.
3) The real exposure: “public key visibility” and legacy outputs
Bitcoin is structurally better positioned than account-based chains in one important way: many address types reveal only a hash of a public key until coins are spent. That creates different risk tiers:
Long-exposure coins (public key already on-chain)
These are the most discussed because an attacker could “collect now, decrypt later” if cryptographically relevant quantum computing ever arrives.
Two widely cited sources of long exposure include:
- Very early script types that embed public keys directly (commonly described as P2PK outputs).
- Bad hygiene / address reuse, where pubkeys become permanently visible after the first spend and remain linked to remaining funds.
Estimates vary dramatically based on definitions. Galaxy cites a higher-end estimate of roughly ~7 million BTC vulnerable under certain “long exposure” classifications, while emphasizing uncertainty and methodology dependence (Galaxy Research). Other analyses focus on narrower slices of “market-relevant” risk.
A separate framing comes from an Ark / Unchained white paper summarized by Cointelegraph, which highlights approximately 1.7 million BTC in early P2PK outputs as a distinct, permanently exposed category (Cointelegraph summary).
Short-exposure coins (public key revealed when spending)
Here, the attacker’s window is constrained by mempool dynamics and confirmation times: the adversary would need to derive the private key and front-run the spend quickly enough to steal funds in-flight. This is a different engineering target than long-exposure sweeping.
4) The emerging technical direction: soft forks first, PQ signatures step-by-step
A striking part of the new consensus is procedural: the most credible path is not a sudden “flag day” signature swap. It is a series of incremental, reviewable steps implemented via soft forks.
Step A: reduce exposure with new output types (even before full PQ signatures)
One notable milestone is BIP 360, which proposes Pay-to-Merkle-Root (P2MR) to reduce certain long-exposure patterns by removing Taproot’s key-path spend and relying on script-tree commitments. The canonical draft is in the Bitcoin BIPs repository: BIP 360 (bip-0360.mediawiki).
This kind of change doesn’t magically make Bitcoin “quantum-proof,” but it is consistent with an engineering-first philosophy: shrink the attack surface now, keep compatibility, and create rails for future cryptography.
Step B: introduce PQC in a conservative way (often: dual-signature)
Where full PQ signatures come in, many proposals converge on a pragmatic tradeoff:
- Use redundancy during transition (e.g., require both a classical signature and a PQ signature), so the network remains safe even if one scheme is later questioned.
- Avoid forcing every participant to switch instantly.
This is where “Dilithium” is frequently mentioned in community discussions—though in standardized form it’s generally referenced via ML-DSA under NIST’s naming (NIST FIPS 204). In practice, the final selection for Bitcoin would also consider signature sizes, verification cost, bandwidth, hardware constraints, and long-term confidence.
5) The governance hard part: a “migration window” and what happens to non-migrated coins
Offering a new quantum-resistant address type is the easy part. The hard part is deciding how the network treats coins that cannot or will not migrate—especially long-exposure outputs whose pubkeys are already public, and coins that may be lost forever.
This is where the community discussion often gravitates toward a time-bounded migration window:
- Introduce new address types and signing rules.
- Give users and institutions years to migrate.
- After a long grace period, enforce policy for remaining funds (ranging from “discourage” to “restrict,” and in some proposals “freeze” or “burn”).
Why would Bitcoin ever consider such severe measures? Because the alternative in an extreme scenario is worse: if a quantum-capable actor can sweep large pools of exposed coins and dump them, it may create a one-time market shock and a deep legitimacy crisis.
An attempt to find a middle path is captured in the “Hourglass” family of proposals, which focuses on rate-limiting extraction rather than instantly confiscating or doing nothing. For example, one updated design discusses constraining the amount that can be extracted per block; see Hourglass V2 Update on Delving Bitcoin.
Separately, the idea of a phased migration and sunset is formalized in proposals like BIP 361: Post Quantum Migration and Legacy Signature Sunset, reflecting how quickly the conversation is moving from abstract risk to concrete protocol design.
6) “Cryptographic agility” becomes a first-class requirement
If there is one lesson from modern security engineering, it’s that cryptography is not static.
The Bitcoin ecosystem is increasingly discussing algorithm agility: designing upgrade mechanisms so Bitcoin can switch or add signature schemes without destabilizing the network. That doesn’t mean “change crypto every year.” It means building a protocol posture where future changes are feasible.
The developer conversation is active, including focused discussions on the bitcoin-dev mailing list such as Algorithm Agility for Bitcoin. For long-term assets, agility is not a luxury—it is part of what makes “store of value” credible across decades.
7) What users can do now (before PQ addresses exist)
Even if quantum remains a long-term risk, there are practical steps that align with the direction of travel:
- Avoid address reuse. Address reuse increases long-term exposure because once a pubkey is revealed, any remaining funds associated with that key can become a “long exposure” target.
- Inventory legacy holdings. If you have very old UTXOs or historical wallets, identify whether they are associated with early script patterns or repeated address behavior.
- Plan for migration as a normal lifecycle event. The most realistic post-quantum future involves moving coins into new output types during a multi-year window—similar in spirit (not identical technically) to how users gradually adopted SegWit and later Taproot.
- Stay upgrade-ready. PQ transitions will likely require wallet software updates, new address formats, and new signing flows. Operational readiness will matter as much as cryptography.
Where hardware wallets fit
A hardware wallet doesn’t stop Shor’s algorithm. But it does protect the most important thing today: your private keys and signing approvals.
In a future migration window, users will need to sign controlled moves from legacy outputs to new quantum-resistant addresses. A self-custody setup—where keys never touch an internet-connected environment—reduces compromise risk at exactly the moment users will be asked to execute high-stakes migrations.
That’s also where products like OneKey can be a practical part of a post-quantum readiness plan: keeping keys isolated, making it easier to follow good address hygiene, and providing a secure signing environment as Bitcoin’s address and signature standards evolve.
Conclusion: a long runway, a clearer roadmap
The most important shift is psychological and social: quantum is no longer treated purely as a meme or an existential unknown. It’s being shaped into a manageable protocol upgrade sequence:
- reduce exposure where possible (e.g., new output constructions),
- introduce PQ signatures conservatively (often via redundancy),
- enforce a long migration runway,
- and build cryptographic agility so Bitcoin can evolve again if needed.
That combination turns “quantum threat” from a paralyzing narrative into a concrete backlog—one that Bitcoin, with enough time and coordination, can realistically execute.
If you’re holding BTC for the long term, the best posture is neither panic nor denial: it’s staying informed, keeping your coins in a well-managed self-custody setup, and being ready to migrate when the network standardizes quantum-resistant address types.
