Devoured - April 22, 2026
Bitcoin and Quantum Computing: A Roadmap (8 minute read)

Bitcoin and Quantum Computing: A Roadmap (8 minute read)

Crypto bitcoinsecurityquantum Read original

A Bitcoin developer proposes an incremental roadmap to quantum-proof Bitcoin by implementing quantum-safe outputs now while deferring harder decisions about legacy coins for later.

What: The article proposes using P2MR (BIP 360) with new post-quantum signature opcodes to let Bitcoin users migrate their coins to quantum-resistant outputs via a soft fork, without waiting to resolve contentious issues like what to do with unmoved coins or Satoshi's stash.
Why it matters: This matters because it provides a practical path forward on quantum resistance that doesn't get blocked by unsolvable debates about freezing legacy coins. Users who migrate can secure their holdings immediately, and real migration data can inform future decisions about what percentage of coins remain vulnerable.
Takeaway: Bitcoin developers and wallet maintainers should evaluate P2MR (BIP 360) and OP_CHECKSHRINCS to understand implementation requirements for quantum-safe outputs before deployment.
Deep dive
  • The proposed strategy separates immediate low-risk mitigations (quantum-safe outputs) from high-stakes future decisions (what to do with unmoved coins like Satoshi's 2.9% of supply)
  • P2MR with cryptographic agility allows users to secure coins against quantum attacks while still using efficient Schnorr signatures until a quantum threat is imminent
  • Key requirement: users cannot reuse addresses or reveal public keys, as this would expose them to quantum attacks unless a future soft fork disables vulnerable signature schemes
  • The approach sacrifices Taproot's key spend path privacy benefit, leaking one bit of information about whether other spending conditions exist
  • Author argues we don't need consensus on contentious issues (freezing Satoshi's coins, escape hatches for late movers) to make progress on user-initiated migration
  • Real on-chain migration data will reveal what percentage X of coins remain insecure, informing whether additional interventions are needed
  • Alternative approaches like OP_CAT or the QSB paper are technically possible but impractical due to massive transaction sizes (hundreds of dollars per transaction) and non-standard formats
  • OP_CHECKSHRINCS proposes hash-based signatures about 5X larger than current Schnorr signatures, likely requiring a 2-8X block size increase to maintain throughput
  • The post-quantum signature scheme uses stateful signing (tracking number of signatures) with fallback to larger stateless schemes if state is lost
  • Author explicitly argues for punting on hard problems until more information is available, particularly game theory around miner incentives to reorg and capture vulnerable coins
  • Critical timeline point: if CRQC doesn't appear for 100 years, today's developers shouldn't make irreversible decisions for future Bitcoin users
  • The roadmap creates a scenario where Bitcoin can be quantum-safe (the "blue triangle") even if consensus on freezing legacy coins (the "purple trapezoid") is never reached"
Decoder
  • CRQC: Cryptographically Relevant Quantum Computer - a quantum computer powerful enough to break current Bitcoin cryptography (ECDSA and Schnorr signatures)
  • P2MR: Pay-to-Merkle-Root (BIP 360) - a proposed output type using Merkle trees instead of scripts, enabling quantum-safe addresses
  • P2TR: Pay-to-Taproot - Bitcoin's current output type that allows efficient privacy through a key spend path that hides other spending conditions
  • Soft fork: A backward-compatible protocol upgrade where old nodes still validate new transactions
  • Schnorr signatures: Bitcoin's current signature scheme, more efficient than older ECDSA but vulnerable to quantum attacks
  • Tapscript: The scripting language used in Taproot outputs
  • Q-Day: The hypothetical day when a powerful quantum computer capable of breaking Bitcoin's cryptography becomes operational
  • Address reuse: Using the same Bitcoin address multiple times, which reveals the public key and makes coins vulnerable to quantum attacks
  • ECC: Elliptic Curve Cryptography - the mathematical foundation of Bitcoin's current signature schemes, broken by quantum computers
  • OP_CAT: A proposed opcode that would enable concatenation in Bitcoin script, theoretically allowing post-quantum signatures to be verified
  • BIP 361: A controversial proposal about how to handle legacy coins vulnerable to quantum attacks"
Original article

This post proposes a pragmatic roadmap to secure Bitcoin against Cryptographically Relevant Quantum Computers. By implementing P2MR and new signature opcodes via soft forks, users can proactively migrate to quantum-safe outputs. This incremental approach prioritizes immediate, low-risk mitigations while deferring complex, high-stakes decisions regarding legacy coin security.