Frozen or stolen

For years, quantum computing was bitcoin's distant "what if". In 2026 it became an engineering question. Working code, a formal proposal in the BIP repository and fresh research from Google have reset the timeline. Here is what changed, what is at risk, and where it goes next.

For most of bitcoin's history, the quantum computing question was a thought experiment held politely off to the side of more pressing debates. In 2026 it stopped being a thought experiment. Working code was published, a formal migration proposal landed in the official BIP repository, Google's own research reset the timeline, and a community that prides itself on civility found itself in its sharpest cryptographic argument in a decade. This piece explains what changed, what the actual exposure looks like, who is proposing what, and how the most likely scenarios from here line up.

TL;DR

Roughly 34 percent of all bitcoin sits in addresses where the public key is already visible on-chain, according to the BIP-361 specification (figure dated 1 March 2026).
Three concrete responses are now live in the discussion: BIP-360 (a new quantum-resistant address type), BIP-361 (a phased sunset of legacy signatures, authored by Jameson Lopp and five other researchers), and Quantum Safe Bitcoin or QSB (a hash-based scheme from StarkWare requiring no protocol change).
The bitcoin community is genuinely divided. Supporters of mandatory migration frame the choice as "frozen or stolen". Opponents call the same idea authoritarian and confiscatory, and warn about precedent.
Google's March 2026 research lowered the hardware bar for breaking elliptic curve cryptography. No machine capable of doing this exists today. Most realistic timelines for a cryptographically relevant quantum computer still stretch into the 2030s.
Even in the worst-case sell scenario, on-chain analyst James Check estimates the entire Satoshi-era stash equates to roughly 60 to 90 days of normal sell-side flow during a bull market.
Bitcoin's fundamentals are not broken. The properties at stake are about migration governance and property rights, not about the integrity of the underlying ledger.

What is actually at risk: the technical problem in plain language

Bitcoin secures spending with the elliptic curve digital signature algorithm, known as ECDSA, and more recently with Schnorr signatures introduced through Taproot. Both rely on the same underlying mathematical assumption: that deriving a private key from a public key is computationally infeasible.

A sufficiently powerful quantum computer running Shor's algorithm breaks that assumption. With enough qubits and enough error correction, a machine could in principle recover a private key from an exposed public key. Once the private key is recovered, the attacker can sign transactions and move the corresponding coins.

Two further details matter for understanding the actual exposure.

First, not every bitcoin address exposes its public key in the same way. Modern address types only reveal the public key at the moment of spending, which limits the window of vulnerability. Old address formats, most notably Pay-to-Public-Key from the Satoshi era, embed the public key directly on-chain and have done so for over a decade.

Second, address reuse compounds the problem. Every time funds leave an address and the address is then reused, the public key is exposed for as long as the address holds value. According to figures cited in the BIP-361 proposal, more than 34 percent of all bitcoin on the network has had its public key exposed on-chain as of 1 March 2026. That is the realistic measure of how much of the supply is structurally exposed if a cryptographically relevant quantum computer arrives.

How the community actually perceives the problem

There is no single bitcoin position on the quantum question. There are three, and they coexist uncomfortably.

The first camp treats the threat as urgent and the migration as overdue. Jameson Lopp, co-founder of Casa and one of the most respected long-time contributors to bitcoin, has been the most prominent voice here. He has publicly said he dislikes the idea of freezing legacy coins but fears the alternative of quantum theft more. Charles Edwards, founder of Capriole Investments, has called for a 2026 deployment of quantum-resistant signatures and has suggested penalising coins that do not migrate by 2028. Avihu Levy at StarkWare and Ethan Heilman, both BIP-360 contributors, have moved the discussion from abstract debate into draft code and testnet implementations.

The second camp accepts that quantum is a real long-term risk but rejects the urgency. Adam Back, the cypherpunk whose Hashcash invention is referenced in the bitcoin white paper, has argued for optional post-quantum features now rather than mandatory migration timelines. Samson Mow has pushed back on the perception that the threat is imminent. Their position is that bitcoin's conservative development culture is a feature, not a bug, and that rushed consensus changes can create new risks while trying to solve old ones.

The third camp objects to the BIP-361 freezing mechanism on principle. Brian Trollz, editor of Bitcoin Magazine, rejected the proposal outright. Marty Bent, founder of TFTC, called it ridiculous. Phil Geiger, head of business development at Metaplanet, summarised the camp's discomfort with a single line: "we have to steal people's money to prevent their money from being stolen". The argument here is not that quantum risk is fake. It is that the cure may alter bitcoin's social contract in a way that is harder to reverse than the original problem.

That last camp matters disproportionately because it engages the question bitcoin holders care about most. Ownership in bitcoin is supposed to be unconditional. Any rule that makes it conditional, even for a defensible reason, sets a precedent that other rules can follow.

The main problem stated cleanly

Strip away the technical detail and the debate reduces to one question. If a cryptographically relevant quantum computer eventually arrives, what should bitcoin do about the roughly 6.7 million coins whose public keys are already visible on the chain?

There are three possible answers, and the network has to pick one.

Leave them alone, and accept that they will eventually be stolen. The first actor with sufficient quantum capability gets to extract several percent of bitcoin's supply and dump it into the market.

Freeze them on a timeline, and accept that legitimate owners who do not migrate, including the deceased, the imprisoned, the offline, and the inattentive, lose access to coins they own. The network preserves supply integrity at the cost of property rights for an undefined population.

Build optional defences and accept that the migration is uneven, slow, and dependent on every individual holder making the right move in time. The network preserves principle at the cost of certainty.

This is the choice. The cryptography is downstream of it.

What has already been built and proposed

Three concrete technical responses are live in the conversation as of May 2026.

BIP-360, titled Pay-to-Merkle-Root or P2MR, is the proactive output design. Authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, with contributions from StarkWare's Avihu Levy, it introduces a new bitcoin output type that uses NIST-approved post-quantum signatures and removes the quantum-vulnerable key-path spend from Taproot. It is framed as a soft fork. The draft BIP entered the official repository on 10 February 2026. BTQ Technologies has demonstrated working BIP-360 transactions on a quantum testnet. BIP-360 does not solve the legacy coin problem. It provides the destination address type that any migration would need to send coins to.

BIP-361, titled "Post Quantum Migration and Legacy Signature Sunset", is the migration mechanism that builds on top of BIP-360. Authored by Jameson Lopp and five other researchers, it landed in the bitcoin/bips GitHub repository on 14 April 2026. The proposal sets out a three-phase plan. Phase A, roughly three years after activation, blocks new bitcoin from being sent to legacy addresses. Phase B, five years after activation, deprecates ECDSA and Schnorr signatures entirely and effectively freezes any coins remaining in vulnerable addresses. Co-author Ethan Heilman has estimated that a full migration would take roughly seven years from the day consensus forms. This is the proposal generating most of the heat in the current debate. Charles Hoskinson has added a structural objection, arguing that BIP-361 is being presented as a soft fork but in practice would require a hard fork.

Quantum Safe Bitcoin, or QSB, is the most surprising of the three. Published on 9 April 2026 by Avihu Levy, StarkWare's chief product officer and a co-author of BIP-360, QSB is a hash-based transaction scheme that achieves quantum resistance using only bitcoin's existing script rules. It requires no soft fork, no miner signalling, and no community coordination. Security comes from the pre-image resistance of RIPEMD-160 combined with Lamport signatures and a hash-to-signature puzzle. The cost is the catch. Generating a valid QSB transaction requires hours of GPU work at an estimated cost of 75 to 200 dollars per transaction, against an average bitcoin transaction fee of roughly 33 cents. Levy describes QSB as a last-resort emergency measure, not a replacement for protocol-level upgrades. StarkWare co-founder Eli Ben-Sasson endorsed the work directly.

A fourth strand is worth mentioning. Anchorage Digital's March 2026 "Quantum Turnstile" paper proposes a zero-knowledge migration system that lets users move funds from hash-anchored records after insecure signing paths are disabled. It is more complex than BIP-360 but addresses the migration problem more directly. Lightning Labs has also published a rescue prototype targeted at high-value holdings. Postquant Labs is building Quip Network, a layer-two scheme using WOTS+ hash-based signatures that lets holders protect coins without any change to the base protocol.

The structural read is that bitcoin now has, for the first time, a serious response stack across three time horizons. Long-term protocol upgrades through BIP-360. Mid-term migration governance through BIP-361. Immediate opt-in defence through QSB and similar schemes. None of the three is finished. All three are concrete.

Scenarios that could play out from here

It is not useful to predict which path bitcoin takes. It is useful to map the scenarios cleanly.

In the slow-and-conservative scenario, the community treats quantum as a real but distant risk. BIP-360 progresses through normal soft-fork review and ships sometime in 2027 or 2028. BIP-361 is debated, revised, and either deferred indefinitely or adopted in a watered-down form that incentivises rather than forces migration. Holders move their coins to quantum-resistant addresses on their own schedule. Lost coins eventually get stolen if a quantum machine arrives, but the freeze-versus-steal political confrontation never has to happen.

In the structured-migration scenario, BIP-361 or a successor passes with broad consensus, including miner signalling and ecosystem coordination across hardware wallets, custodians, and exchanges. Most legitimate holders migrate within the three-year Phase A window. Phase B activates, vulnerable coins are effectively frozen, and the network accepts the property-rights cost as the price of supply integrity. The political wound is real but heals over years.

In the emergency scenario, a quantum computing breakthrough arrives faster than the migration timeline. Holders rush to opt-in defences such as QSB, paying hundreds of dollars per transaction to secure large balances. The price of post-quantum transaction services becomes a real market. Bitcoin's ledger holds, but the migration is disorderly and visibly stressful.

In the harvest-and-decrypt scenario, state-level adversaries quietly collect exposed public keys today on the assumption that they will be able to decrypt the corresponding private keys in 5 to 10 years. The threat never announces itself, and the first sign of attack is movement from coins that have been dormant for a decade or more.

These scenarios are not mutually exclusive. Elements of all four are already in motion.

Is bitcoin's foundation in danger

The honest answer is no, with one important qualification.

Bitcoin's monetary properties are not threatened by quantum computing in any direct sense. The 21 million supply cap is enforced by consensus rules that do not depend on ECDSA. The proof-of-work mining mechanism uses SHA-256, which Grover's algorithm can only attack with a quadratic speedup, leaving comfortable security margins. The ledger itself, the order of transactions, the difficulty adjustment, the halving schedule, the decentralisation of nodes, none of these are affected by quantum computing in any meaningful way.

What is affected is the cryptographic mechanism by which individual holders prove ownership of coins. That is a serious problem and a solvable one. It is the kind of problem cryptographic systems have solved before. NIST has standardised post-quantum signature schemes. The bitcoin developer ecosystem has working implementations on testnet. The question is not whether bitcoin can adopt quantum-resistant cryptography. The question is when, on what timeline, and with what treatment of coins whose owners cannot or will not migrate.

The qualification is the social contract. Bitcoin's value proposition rests in part on the claim that ownership is unconditional and rules do not change to extract value from holders. If BIP-361 or a similar proposal passes, that claim becomes "ownership is unconditional except in cases of cryptographic obsolescence determined by the developer community". That is a different proposition. It may still be the right proposition, but it is materially different from the original.

This is the part of the debate worth thinking through carefully. The technical problem has answers. The political problem does not have a clean one.

A useful counter-frame: the supply absorption argument

On-chain analyst James Check, founder of Checkonchain, published a widely-circulated piece in late April titled "Selling Satoshi's Stack" that pushes back on the most-cited fear in the debate.

Check breaks down the often-quoted 6.9 million BTC figure. Roughly 1.716 million BTC sit in Satoshi-era P2PK addresses, another 214,000 BTC in Taproot wallets, and 4.996 million BTC in reused addresses. He argues that exchanges, custodians, and ETFs holding most of the reused-address coins will migrate well before any cryptographically relevant quantum computer arrives, since those entities have the resources and motivation to do so. The realistic worst case is therefore much smaller than the headline number suggests.

His core argument on market impact is the most interesting part. Using on-chain data on revived supply, he shows that the market routinely absorbs 10,000 to 30,000 BTC daily during bull markets. The entire Satoshi-era P2PK stash, if dumped in full, would equal roughly 60 to 90 days of normal sell-side flow. He also supports a BIP-360 "hourglass" idea that would cap P2PK spends at one per block, stretching any unwind across roughly 264 days and making coordinated dumping mathematically impossible.

The argument does not say quantum risk is fake. It says the apocalyptic version of the risk, quantum hackers crashing bitcoin overnight, is structurally implausible. That reframes the urgency question without dismissing the underlying threat.

What to watch from here

Three signals will tell you where this debate is actually heading.

The first is BIP-360 deployment progress. The proposal needs to move from testnet activity into a Bitcoin Core implementation, then through soft-fork activation review. Concrete milestones are public on GitHub.

The second is the response of large bitcoin custodians and ETF issuers to BIP-361. BlackRock, Fidelity, Coinbase Custody and the other institutional custodians collectively hold a meaningful share of the supply. Their public positions on legacy signature sunset will move the political conversation more than any individual developer's view.

The third is independent quantum hardware progress. The numbers to track are logical qubit counts, error correction milestones, and the timelines published by Google Quantum AI, IBM, and the major academic labs. The signal that changes the debate is not a price move. It is a logical-qubit benchmark that crosses a specific threshold.

The opening sentence of bitcoin's quantum chapter has now been written. The closing sentence will be written by the choices the network makes over the next three to five years. Those choices are technical, political, and philosophical at the same time. The serious work is in holding all three together.

Key terms

ECDSA: Elliptic Curve Digital Signature Algorithm. The cryptographic scheme bitcoin uses to authorise spending. Vulnerable in principle to Shor's algorithm on a sufficiently powerful quantum computer.

Shor's algorithm: A quantum algorithm that, given enough qubits, can derive a private key from an exposed public key. The core mathematical reason quantum computing matters for bitcoin.

P2PK (Pay-to-Public-Key): A legacy bitcoin address format used in the Satoshi era. Stores the full public key on-chain, making the coins structurally vulnerable to quantum attack.

P2MR (Pay-to-Merkle-Root): A new bitcoin output type proposed in BIP-360. Removes Taproot's quantum-vulnerable key-path spend and provides a destination for post-quantum migration.

BIP-360: Bitcoin Improvement Proposal 360. Introduces P2MR as a soft fork. Provides the quantum-resistant infrastructure for new coins.

BIP-361: Bitcoin Improvement Proposal 361. Titled "Post Quantum Migration and Legacy Signature Sunset". Proposes a three-phase deprecation of ECDSA and Schnorr signatures, effectively freezing unmigrated coins after roughly five years.

QSB (Quantum Safe Bitcoin): A hash-based scheme published by StarkWare's Avihu Levy on 9 April 2026. Provides per-transaction quantum resistance without any protocol change, at a cost of 75 to 200 dollars per transaction.

CRQC: Cryptographically relevant quantum computer. A quantum machine with enough logical qubits to break real-world cryptography. No such machine exists today.

Harvest now, decrypt later: The risk that adversaries are collecting exposed public keys today, planning to recover the corresponding private keys when quantum capability matures.

About Bitcoin Poland Conference

Bitcoin Poland Conference is a professional bitcoin event taking place in October 2026. The conference brings together institutional investors, builders, policy professionals and researchers for two days of focused, professional-grade programming on bitcoin's technology, markets and policy environment.

This is the second post in our editorial series on the structural shifts shaping bitcoin in 2026. The first piece covered Strategy's abandonment of its "never sell" doctrine. Upcoming pieces will look at the rise of nation-state bitcoin reserves and the institutional restructuring of the corporate bitcoin treasury category.