OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Intel· Quantum series· Apr 5, 2026· 5 min read

Four Bitcoin Proposals for Surviving a Quantum Attack

Google's March 31 whitepaper compressed the estimated qubit threshold for breaking Bitcoin's elliptic-curve cryptography by 20x. Bitcoin developers have known the threat was coming for years. There are now four concrete proposals in various states of development — BIP-360, SPHINCS+, SHRIMPS, and Hourglass V2. None are activated. None have a scheduled deployment. The governance problem may be harder than the cryptography problem.

Key takeaways

  1. BIP-360, authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, proposes a new Pay-to-Quantum-Resistant-Hash (P2QRH) address type that keeps public keys hidden until spending — restoring the hash-first protection that Taproot removed by default. BIP-360 addresses new coins going forward. It does nothing for the 6.9 million BTC already sitting in addresses with exposed public keys
  2. SPHINCS+ (standardized by NIST in August 2024 as FIPS 205 / SLH-DSA) is a hash-based post-quantum signature scheme that avoids the quantum risks facing ECDSA. The tradeoff is size: current Bitcoin signatures are 64 bytes. SLH-DSA signatures are 8 kilobytes or more. Adopting it directly would sharply increase block space demand and raise transaction fees for all users
  3. SHRIMPS and SHRINCS are competing proposals to reduce post-quantum signature sizes while preserving the security guarantees of hash-based schemes. Both are active areas of research aimed at making SPHINCS+-style security practical within Bitcoin's block size constraints
  4. Hourglass V2 addresses the legacy exposure problem specifically: roughly 1.7 million BTC in early P2PK addresses, including coins attributed to Satoshi Nakamoto, have exposed public keys and cannot be upgraded by their owners. Hourglass V2 would impose a timelocked spending delay on these coins to slow any quantum attacker trying to drain them, buying time for a coordinated response
  5. Bitcoin's decentralized governance has no central authority to set a migration deadline or mandate a specific upgrade path. The last major cryptographic change — Taproot — took years of discussion before activation in 2021. A post-quantum migration requires protocol-level changes touching every wallet format, every address type, and every client implementation. Ethereum has had a coordinated post-quantum roadmap since 2018. Bitcoin does not

What Happened

On March 31, 2026, Google's Quantum AI team published research arguing the qubit threshold for attacking Bitcoin's elliptic-curve cryptography is materially lower than prior estimates — under 500,000 physical qubits, roughly a 20x reduction from what the industry had assumed. Google's own internal deadline for migrating to post-quantum cryptography is 2029. Bitcoin developers have been discussing post-quantum migration for years. There are now four concrete technical proposals in circulation. None are scheduled for deployment. None have activated. The gap between research and governance is the story.

BIP-360: Protecting New Coins

BIP-360 proposes a new address type called Pay-to-Quantum-Resistant-Hash, or P2QRH. The core design principle is the same one that protected legacy P2PKH addresses: keep the public key hidden behind a hash until spending. Taproot removed that layer for wallets using the new bc1p format. BIP-360 restores it using a quantum-resistant commitment scheme.

The important limitation: BIP-360 protects new coins going forward. A wallet migrated to P2QRH before a quantum attacker is operational would be safe. The 6.9 million BTC already sitting in addresses with exposed public keys — Taproot addresses, reused addresses, early P2PK coins — cannot be protected retroactively by BIP-360. Those coins require a different solution. BIP-360 passed early review stages and remains under active discussion, but has no activation timeline.

SPHINCS+: The Signature Scheme With a Size Problem

SPHINCS+ is a post-quantum signature scheme built on hash functions rather than elliptic-curve mathematics. Because Shor's algorithm targets elliptic-curve discrete logarithm problems specifically, hash-based designs like SPHINCS+ are not similarly vulnerable. The US National Institute of Standards and Technology standardized SPHINCS+ in August 2024 as FIPS 205 — also called SLH-DSA — after years of public cryptographic review. It is the most battle-tested post-quantum signature standard currently available.

The problem is block space. Current Bitcoin ECDSA signatures are 64 bytes. SLH-DSA signatures are 8 kilobytes or more — roughly 125 times larger. Adopting SLH-DSA directly would increase transaction sizes dramatically, reduce how many transactions fit in each block, and raise fees across the network for all users. This is not a theoretical objection — it is an engineering constraint that requires a real solution before SPHINCS+ becomes practical for Bitcoin.

SHRIMPS, SHRINCS, and the Size Problem

SHRIMPS (Stateless Hash-based Ring-signature IMProved Scheme) and SHRINCS are two competing proposals to reduce post-quantum signature sizes while preserving the security properties of hash-based schemes. Both are active areas of cryptographic research specifically motivated by Bitcoin's block space constraints. Neither is standardized. Neither has a published activation proposal. They represent the active frontier of the technical work: the gap between 'post-quantum signatures exist and are secure' and 'post-quantum signatures are small enough to deploy on Bitcoin without breaking the fee market'.

Hourglass V2: The Legacy Coin Problem

About 1.7 million BTC sits in early Pay-to-Public-Key addresses from Bitcoin's first years, many believed inaccessible due to lost keys. These addresses include coins attributed to Satoshi Nakamoto. Every one of them has an exposed public key visible on-chain. If a sufficiently capable quantum computer becomes operational before Bitcoin deploys a migration, these coins would be among the first targets.

Hourglass V2 proposes a timelocked spending delay specifically for these long-dormant exposed addresses. The logic is defensive: if a quantum attacker tries to drain Satoshi-era coins, a mandatory delay creates a window for the network to detect and respond. It does not make the coins quantum-safe. It buys time. The proposal is controversial because it raises direct questions about protocol-level interference with coin ownership — even for coins that have been unmoved for over a decade.

The Governance Problem

Every one of these proposals requires a coordinated protocol change touching wallet software, address formats, signature verification, and client implementations across the entire network. Bitcoin's decentralized governance has no central authority to mandate a migration or set a deadline. Taproot — a far less disruptive upgrade — took years of debate before activating in 2021. A post-quantum migration is structurally more complex than Taproot.

Ethereum has been building toward post-quantum migration since 2018, with a published roadmap spanning four hard forks, weekly devnets under the PQ Interop program, and dedicated engineering teams across cryptography, protocol architecture, and multiple client implementations. Bitcoin developer Jameson Lopp has estimated that a full quantum-safe Bitcoin upgrade could take five to ten years to implement even if the community agreed today. Google's 2029 internal deadline is three years away.

What This Means for You

The practical action today is the same as it was after the Google paper: do not reuse addresses. A fresh receiving address for every incoming transaction means your public key is never on-chain until you spend from that address. Once you spend, the key is briefly visible — that exposure window is what the quantum threat models. After confirmation it closes, but the key remains on-chain permanently.

Understand your address type. P2PKH (starting with 1) and SegWit (bc1q) hash the public key until spending. Taproot (bc1p) exposes it by default. This is not a reason to panic about existing Taproot holdings — no quantum computer capable of this attack exists today. It is a reason to follow address hygiene practices now so your habits are solid before the threat window narrows. Watch BIP-360's development progress as the leading indicator of where Bitcoin's post-quantum migration actually stands.

What to Watch

The signal to watch is not price reaction to quantum news — it is whether BIP-360 receives a formal Bitcoin Improvement Proposal number and enters the activation discussion process. Watch also for NIST's progress on standardizing additional post-quantum signature schemes beyond SLH-DSA, as those standards inform what Bitcoin developers can build toward. And watch Google's 2029 internal deadline as the clearest external benchmark: if the organization that published this research is migrating its own infrastructure by then, that is the practical horizon the Bitcoin development community is working against.

The cryptography problem has four proposed solutions. The governance problem has none.

Sources

  1. [1]CoinDesk — 'Bitcoin's $1.3 Trillion Security Race: Key Initiatives Aimed at Quantum-Proofing the World's Largest Blockchain', April 5, 2026
  2. [2]Google Quantum AI — 'Securing Elliptic Curve Cryptocurrencies against Quantum Attacks', whitepaper, March 31, 2026
  3. [3]NIST — FIPS 205 (SLH-DSA / SPHINCS+), standardized August 2024
  4. [4]BIP-360 — Pay to Quantum Resistant Hash, Hunter Beast, Ethan Heilman, Isabel Foxen Duke. bip360.org
  5. [5]Bitcoin Optech — post-quantum signature scheme tracking and BIP-360 coverage
  6. [6]Jameson Lopp — public commentary on Bitcoin quantum migration timeline estimates
  7. [7]Ethereum Foundation — pq.ethereum.org, PQ Interop devnet documentation
Quantum series · Part 2 of 9
← Previous part
Google Cut the Estimated Qubit Threshold for Breaking Bitcoin by 20x
Next part →
Two Papers Reframe Bitcoin's Quantum Threat as Mostly Misunderstood

More in Quantum

Trump Executive Order Moves Federal PQC Deadline to 2031Project Eleven's 15-Bit Quantum Bounty, Reproduced in 20 Python LinesPostquant Labs Shipped Quantum Protection Without a Bitcoin Soft Fork