Bitcoin Developers Push Quantum-Resistant Upgrades with BIP-360 and BIP-361

Bitcoin developers are no longer treating quantum computing like a theoretical boogeyman for some far-off decade. With BIP-360 and BIP-361, the network is now preparing for a future where today’s signature schemes may not be good enough.

• BIP-360 introduces Bitcoin’s first quantum-resistant address type.
• BIP-361 pushes vulnerable coins to migrate before a deadline, with old signature paths potentially sunset.
• The real threat is not mining, but transaction signing and exposed public keys.
• Roughly 6.5 to 6.9 million BTC could be vulnerable, including ancient coins linked to Satoshi Nakamoto.

“In 2026, the fixing has begun.”

That line captures the mood pretty well. Bitcoin is not under immediate attack from quantum computers, but developers have decided the clock has started anyway. The point is not current capability. It is trajectory. And that trajectory is getting harder to ignore.

To understand why, it helps to strip away the jargon. Bitcoin relies on cryptography to prove ownership. A private key is the secret that controls coins. A public key is the part that can be seen on-chain and used to verify signatures. A signature is the cryptographic proof that says, “yes, this transaction was authorized.” If a future quantum computer becomes powerful enough, it could potentially reverse-engineer private keys from exposed public keys and steal funds.

That is the real danger. Not mining. Not SHA-256. Not some Hollywood fantasy of quantum machines chewing through the blockchain like a snack bar.

The real vulnerability is in transaction signing. Bitcoin’s mining process uses SHA-256, and for all practical purposes it is considered quantum-safe enough that it is not the immediate concern. The weak point is the signature layer, especially legacy ECDSA and, in principle, Schnorr signatures used in Taproot spending paths. A sufficiently powerful quantum computer running Shor’s algorithm could break those guarantees and derive private keys from public ones.

That is why the discussion has moved from abstract research to actual protocol planning. BIP-360, merged into Bitcoin’s official repository on February 11, 2026, introduces Bitcoin’s first quantum-resistant address type. It uses the prefix “bc1r” and leans on post-quantum signature schemes such as ML-DSA, designed to resist attacks from quantum machines.

The catch is that post-quantum security is not free. Some post-quantum signatures are huge compared with Bitcoin’s current ones. SLH-DSA, for example, can be as large as 8 kilobytes. That is not a small design detail. It affects blockspace, fees, wallet handling, and how much data every transaction needs to carry. Bitcoin has spent years making transactions leaner, so adding chunky signatures is the kind of tradeoff that makes engineers wince and pragmatists reach for the calculator.

BIP-361, published on April 14, 2026, is where the politics get hot. It proposes a migration deadline for vulnerable coins, and if those coins are not moved in time, their old signature paths could be sunset. In plain English: old address types may eventually stop being usable as-is. That is the sort of measure that would protect users from quantum theft, but it also means some coins could get stranded if they cannot be migrated.

And that is where Bitcoin runs straight into one of its most sacred tensions: immutability versus security.

The scale of the potential exposure is what pushed this from niche concern to protocol-level planning. Roughly 6.5 to 6.9 million BTC are considered vulnerable because their public keys are already exposed on-chain. That is about one-third of all Bitcoin, give or take the usual uncertainty that comes with blockchain forensics and ancient wallet archaeology. Around 1.7 million BTC sit in very old addresses widely believed to be linked to Satoshi Nakamoto.

That makes for a nasty little policy knot. If Bitcoin decides dormant coins must migrate or lose their old signature path, what happens to coins that may never be moved at all? If Satoshi’s coins are effectively unreachable, does the network preserve them as part of Bitcoin’s historical fabric, or does it freeze them in the name of future security? There is no clean answer.

That is not a bug in the debate. It is the debate.

Some of the urgency comes from research that suggests the quantum timeline may be less fantasy and more planning problem. Google researchers estimated that breaking 256-bit elliptic-curve cryptography might require fewer than 1,200 logical qubits and fewer than 500,000 physical qubits. A researcher reportedly broke a 15-bit elliptic-curve key on accessible quantum hardware and collected a 1 BTC bounty. That is not proof that Bitcoin is about to be cracked tomorrow, but it is a reminder that cryptography is not protected by wishful thinking.

Bitcoin developers are not responding to a live exploit. They are responding to the direction of travel. That matters. Protocol migrations take years, wallet upgrades take time, exchanges move slowly, and users are famously bad at moving coins until the threat is already sitting on their face. So the work has to begin long before the danger becomes practical.

The proposal structure also matters. Both BIP-360 and BIP-361 are designed as a soft fork, not a hard fork. That means the changes are intended to remain backward-compatible at the protocol level rather than splitting Bitcoin into competing chains. In other words, Bitcoin is trying to upgrade its armor without ripping the entire suit apart. Simple in theory. Painful in practice.

Bitcoin is not in danger today, but its developers have decided the clock has started. That is the correct framing. Quantum computers are not ready to drain wallets at scale right now, but the network cannot afford to wait until the first real attack forces a panic response. By then, the migration would be chaotic, expensive, and possibly politically impossible.

The hard part is not just technical. It is ethical. Freezing coins, even to protect them, rubs directly against the property-rights absolutism many Bitcoiners hold dear. Bitcoin was built around the idea that no central authority gets to change the rules of ownership on a whim. But a quantum threat changes the calculation. If leaving old signature paths alive means exposing dormant coins to theft, then doing nothing becomes its own kind of betrayal.

Some Bitcoin researchers and developers prefer less abrupt approaches. One option is to hide post-quantum fallback paths inside Taproot, Bitcoin’s upgrade that improved privacy and flexibility while introducing more advanced spending conditions. Another is a direct signature upgrade without aggressively sunsetting old paths. BitMEX Research has outlined a Taproot-based quantum-safe approach, while Bitcoin Optech has highlighted work on optimizing post-quantum signature schemes.

Those approaches have a clear appeal: less disruption, fewer forced migrations, less risk of accidentally nuking dormant coins into irrelevance. But they also risk dragging out the timeline. Bitcoin does not get extra points for philosophical purity if the cryptography underneath it is eventually exposed as obsolete.

The larger lesson is that quantum resistance is not just Bitcoin’s problem. Ethereum, XRP Ledger, and Hedera are also working on quantum-resistant paths, just with very different governance and architecture choices. Vitalik Buterin has discussed an Ethereum quantum-resistance roadmap. The XRP Ledger has outlined a four-phase plan. Hedera already relies on hash-based cryptography with stronger quantum resistance characteristics. Different chains, same reality check: if quantum computing matures enough, old cryptography becomes a liability.

There is also a useful counterpoint here that Bitcoiners should not ignore. It is entirely possible that the network is solving a problem years or even decades before practical quantum danger arrives. Premature migration can create complexity, fee pressure, and coordination headaches without delivering an immediately visible payoff. That is the ugly side of good planning: you often get mocked for doing the right thing too early. But the alternative is waiting until the fire is already inside the walls.

The best way to think about BIP-360 and BIP-361 is not as a prediction that quantum apocalypse is imminent. It is a recognition that Bitcoin’s current signature schemes are not eternal. The protocol does not need to panic. It does need a plan.

Why BIP-360 matters

BIP-360 creates Bitcoin’s first quantum-resistant address type, giving users and wallets a new path to protect funds against a future quantum attack on wallets.

What BIP-361 tries to do

BIP-361 proposes a migration deadline for vulnerable coins and could sunset old signature paths, which would force the network to choose security over indefinite backward compatibility.

How much Bitcoin may be exposed

Roughly 6.5 to 6.9 million BTC may be vulnerable because the public keys are already visible on-chain. That includes around 1.7 million BTC in ancient addresses believed to be tied to Satoshi Nakamoto.

What the real quantum threat is

The threat is not Bitcoin mining. It is the possibility that quantum computing and Bitcoin signatures become an ugly matchup, with exposed public keys giving attackers a path to derive private keys.

Is Bitcoin in immediate danger?

No. The threat is future-facing, not current. But Bitcoin’s slow-moving governance means the migration work has to begin long before the attack is practical.

What is the hardest unresolved question?

Whether Bitcoin should preserve immutability at all costs, or intervene to protect users by freezing coins that cannot be safely migrated.

Can Bitcoin upgrade without breaking itself?

That is the challenge. Bitcoin wants to become quantum-resistant without losing the qualities that made it credible in the first place: scarcity, predictability, and resistance to arbitrary change.

Bitcoin is heading toward quantum resistance slowly, deliberately, and with a fierce argument about its own principles running in parallel. That is probably exactly how it should be. If the network is going to remain hard money for the long haul, it may need to change just enough to stay secure without turning into a bloated, centralized patch job dressed up as progress.