What Happened
On March 31, 2026, Google's Quantum AI team published research arguing the qubit threshold for attacking Bitcoin's elliptic-curve cryptography is materially lower than prior estimates — under 500,000 physical qubits, roughly a 20x reduction from what the industry had assumed. Google's own internal deadline for migrating to post-quantum cryptography is 2029. Bitcoin developers have been discussing post-quantum migration for years. There are now four concrete technical proposals in circulation. None are scheduled for deployment. None have activated. The gap between research and governance is the story.
BIP-360: Protecting New Coins
BIP-360 proposes a new address type called Pay-to-Quantum-Resistant-Hash, or P2QRH. The core design principle is the same one that protected legacy P2PKH addresses: keep the public key hidden behind a hash until spending. Taproot removed that layer for wallets using the new bc1p format. BIP-360 restores it using a quantum-resistant commitment scheme.
The important limitation: BIP-360 protects new coins going forward. A wallet migrated to P2QRH before a quantum attacker is operational would be safe. The 6.9 million BTC already sitting in addresses with exposed public keys — Taproot addresses, reused addresses, early P2PK coins — cannot be protected retroactively by BIP-360. Those coins require a different solution. BIP-360 passed early review stages and remains under active discussion, but has no activation timeline.
SPHINCS+: The Signature Scheme With a Size Problem
SPHINCS+ is a post-quantum signature scheme built on hash functions rather than elliptic-curve mathematics. Because Shor's algorithm targets elliptic-curve discrete logarithm problems specifically, hash-based designs like SPHINCS+ are not similarly vulnerable. The US National Institute of Standards and Technology standardized SPHINCS+ in August 2024 as FIPS 205 — also called SLH-DSA — after years of public cryptographic review. It is the most battle-tested post-quantum signature standard currently available.
The problem is block space. Current Bitcoin ECDSA signatures are 64 bytes. SLH-DSA signatures are 8 kilobytes or more — roughly 125 times larger. Adopting SLH-DSA directly would increase transaction sizes dramatically, reduce how many transactions fit in each block, and raise fees across the network for all users. This is not a theoretical objection — it is an engineering constraint that requires a real solution before SPHINCS+ becomes practical for Bitcoin.
SHRIMPS, SHRINCS, and the Size Problem
SHRIMPS (Stateless Hash-based Ring-signature IMProved Scheme) and SHRINCS are two competing proposals to reduce post-quantum signature sizes while preserving the security properties of hash-based schemes. Both are active areas of cryptographic research specifically motivated by Bitcoin's block space constraints. Neither is standardized. Neither has a published activation proposal. They represent the active frontier of the technical work: the gap between 'post-quantum signatures exist and are secure' and 'post-quantum signatures are small enough to deploy on Bitcoin without breaking the fee market'.
Hourglass V2: The Legacy Coin Problem
About 1.7 million BTC sits in early Pay-to-Public-Key addresses from Bitcoin's first years, many believed inaccessible due to lost keys. These addresses include coins attributed to Satoshi Nakamoto. Every one of them has an exposed public key visible on-chain. If a sufficiently capable quantum computer becomes operational before Bitcoin deploys a migration, these coins would be among the first targets.
Hourglass V2 proposes a timelocked spending delay specifically for these long-dormant exposed addresses. The logic is defensive: if a quantum attacker tries to drain Satoshi-era coins, a mandatory delay creates a window for the network to detect and respond. It does not make the coins quantum-safe. It buys time. The proposal is controversial because it raises direct questions about protocol-level interference with coin ownership — even for coins that have been unmoved for over a decade.
The Governance Problem
Every one of these proposals requires a coordinated protocol change touching wallet software, address formats, signature verification, and client implementations across the entire network. Bitcoin's decentralized governance has no central authority to mandate a migration or set a deadline. Taproot — a far less disruptive upgrade — took years of debate before activating in 2021. A post-quantum migration is structurally more complex than Taproot.
Ethereum has been building toward post-quantum migration since 2018, with a published roadmap spanning four hard forks, weekly devnets under the PQ Interop program, and dedicated engineering teams across cryptography, protocol architecture, and multiple client implementations. Bitcoin developer Jameson Lopp has estimated that a full quantum-safe Bitcoin upgrade could take five to ten years to implement even if the community agreed today. Google's 2029 internal deadline is three years away.
What This Means for You
The practical action today is the same as it was after the Google paper: do not reuse addresses. A fresh receiving address for every incoming transaction means your public key is never on-chain until you spend from that address. Once you spend, the key is briefly visible — that exposure window is what the quantum threat models. After confirmation it closes, but the key remains on-chain permanently.
Understand your address type. P2PKH (starting with 1) and SegWit (bc1q) hash the public key until spending. Taproot (bc1p) exposes it by default. This is not a reason to panic about existing Taproot holdings — no quantum computer capable of this attack exists today. It is a reason to follow address hygiene practices now so your habits are solid before the threat window narrows. Watch BIP-360's development progress as the leading indicator of where Bitcoin's post-quantum migration actually stands.
What to Watch
The signal to watch is not price reaction to quantum news — it is whether BIP-360 receives a formal Bitcoin Improvement Proposal number and enters the activation discussion process. Watch also for NIST's progress on standardizing additional post-quantum signature schemes beyond SLH-DSA, as those standards inform what Bitcoin developers can build toward. And watch Google's 2029 internal deadline as the clearest external benchmark: if the organization that published this research is migrating its own infrastructure by then, that is the practical horizon the Bitcoin development community is working against.