BIP 360 and the Quantum Threat to Bitcoin 

Reading time: 5m 14s

Breaking 🚨: Up to 90% of BTC held in Satoshi-linked wallet moved to unknown address. 

As jarring as this headline might seem, errrm… it might become a reality if we do not fix the problem as soon as possible. 

6.9 million BTC is the exact number of coins with exposed public keys, susceptible to the quantum threat.

At current prices, that’s almost $450 billion, an amount capable of causing a huge disruption in global economics. 

1.7 million of the exposed BTC belong to the earliest miners - including an estimated 1.1 million attributed to Satoshi Nakamoto. 

That's roughly $76 billion sitting in Pay-to-Public-Key (P2PK) addresses from Bitcoin's genesis era, where public keys are permanently baked into the network.

The bad news, however, is that Google has revealed that nine minutes is all it will take for a quantum computer to derive a Bitcoin private key from a public key, and there’s a 41% chance that a quantum attacker could do this before the network even confirms your transaction. 

What’s worse is that upgrading a wallet to quantum-resistant standards requires the owner to initiate a transaction, and 1.1 million BTC held in what’s widely accepted as Satoshi’s wallet hasn't moved a single coin in over fifteen years. You can't force a migration on a wallet that refuses to wake up.

While there are no computers that could pull this off today, Google’s recent paper suggests an 80% decrease in the needed qubits to carry out such an operation, shortening the timelines drastically to approximately three years!

The bottom line is that Bitcoin is in a race against time, and not nearly enough people fundamentally understand the proposals and solutions to fix this level 1 threat, or their limitations, hence our focus on this today. 

But before we go into the main proposal (BIP 360) we look to shed light on, let’s give a backstory of the journey thus far: 

The Taproot irony

In 2021, Bitcoin initiated the Taproot upgrade, intended to be a leap forward for privacy and efficiency; however, it accidentally made the quantum problem significantly worse, despite a Bitcoin developer's warning that this might happen.

The community accepted the tradeoff because quantum threats seemed distant. Five years later, Google's research has just compressed that timeline. 

In more technical terms, older Bitcoin address formats like Pay-to-Public-Key-Hash (P2PKH) hide your public key behind a hash. 

It only gets revealed when you actually spend from the address. However, during the Taproot upgrade, its Pay-to-Taproot (P2TR) format flipped that model. 

It exposes tweaked public keys directly onchain as elliptic curve points - permanently, by default, even while your coins just sit there doing nothing.

In Google's own data, P2TR outputs were associated with approximately 16.8 million BTC moved in 2025, representing 21.68% of all Bitcoin transactions that year. Every wallet that has ever sent BTC using a Taproot address now has its public key visible onchain. 

For a quantum attacker, that's an indefinite window to work the math offline with no rush whatsoever.

So, while it looked like Bitcoin upgraded its armor, it accidentally left the back door wide open.

Enter BIP 360

Bitcoin Improvement Proposal (BIP) 360 introduces a new output type called Pay-to-Merkle-Root (P2MR), and its entire purpose is simply to remove the public key from the blockchain entirely.

The idea is that if there's no public key onchain, there's nothing for a quantum computer to attack. 

P2MR works similarly to Taproot but strips out the "key-path spend" mechanism, the exact feature that exposes public keys by default. 

Everything else, i.e., lightning payments, multi-signature setups, timelocks, complex custody structures, would continue working through Tapscript Merkle trees.

BTQ Technologies has already deployed a working BIP 360 implementation on its Bitcoin Quantum testnet v0.3.0, with more than 50 miners running the infrastructure and over 100k blocks mined. An open-source community of more than 100 cryptographers and developers is actively contributing. 

Why BIP 360 is only step one (and why that's terrifying)

You must be saying, “Aha! Okay, there’s a fix.” But let us not get carried away. 

As much as BIP 360 makes sense, it has real limitations. In fact, anyone telling you it solves Bitcoin's quantum problem is selling you something.

Firstly, BIP 360 only protects new coins going forward. The 6.9 million BTC already sitting in exposed addresses? BIP 360 doesn't touch them. That's a separate, much harder governance problem.

Secondly, BIP 360 does not replace the Elliptic Curve Digital Signature Algorithm (ECDSA) or Schnorr signatures with post-quantum alternatives. 

Rather, it removes the long-exposure attack surface, but it doesn't defend against a short-exposure mempool attack. 

Full post-quantum signatures - like SPHINCS+ (standardized by the National Institute of Standards and Technology (NIST)) or Dilithium - would be needed for that. 

And those come with a brutal tradeoff. This is because current Bitcoin signatures are 64 bytes, while SPHINCS+ signatures balloon to 8 kilobytes or more. That's a 125x increase in signature size, which would wreck block space economics.

On the third floor, Bitcoin's governance moves at geological speed. SegWit took approximately 8.5 years from conception to adoption. Taproot took 7.5 years. 

Even if the entire community agreed tomorrow that BIP 360 should activate, the realistic timeline for full deployment stretches into years, and Google has set 2029 as the probable year for an apocalypse. 

Freeze Satoshi's coins or let them get stolen?

So, considering the aforementioned inefficiencies and lacunas, the most obvious debate for the Bitcoin community is what to do with the 1.1 million BTC sitting idly in a wallet that has not made a transaction in 15 pitbull damned years. 

The community has exactly two options, and both of them break a core Bitcoin promise.

Option A: 

Freeze or burn the vulnerable coins before a quantum attacker gets to them. This preserves market stability but means the community seized someone's Bitcoin by consensus. 

"Your keys, your coins" becomes "your keys, your coins, unless we vote otherwise." We believe that this is no more, no less a philosophical grenade lobbed at Bitcoin's entire identity.

Option B: 

Do nothing and let quantum attackers claim whatever they can crack. This preserves immutability and neutrality but opens the door to a $76 billion bounty for the world's first quantum hacker.

There's also a third-way proposal called Hourglass V2, which would limit the spending of exposed coins to one BTC per block - essentially a controlled bank run designed to prevent an overnight market crash. 

Even this modest restriction has critics arguing it violates the principle that no external party can interfere with your right to spend your money onchain.

Concluding thoughts 

If you take a stroll to the orange side of X, you get the vibe that the Bitcoin community is experiencing an existential crisis, with lots of conversations and opinions on what to do. 

On the other hand, alternative networks like Ethereum have already launched an extensive post-quantum migration effort. 

Vitalik Buterin publicly outlined a step-by-step quantum resistance roadmap. The Ethereum Foundation formed a dedicated post-quantum security team in January 2026 and posted a $2 million research prize. Even Coinbase formed a quantum advisory board. 

And hey, FWIW, even we at blocmates put out a really great listicle of solutions and tools addressing the quantum threat. 

It feels like everyone’s doing something, and yet the most important part, Bitcoin, seems to be more on the fragile end. 

From the above, it is clear that BIP 360 isn't a silver bullet, but it surely is a step in the right direction.

However, rather than debating philosophically, we need to reach a consensus to shorten timelines and save all our coins.