What is BIP-360 and how does it protect Bitcoin from quantum computing?

BIP-360 is a Bitcoin Improvement Proposal that introduces a new address format designed to use post-quantum cryptographic signatures. It would allow Bitcoin users to migrate their holdings to quantum-resistant addresses before large-scale quantum computers become capable of breaking current elliptic curve cryptography.

Can Bitcoin be upgraded to resist quantum computers?

Yes. Bitcoin's open-source protocol can be upgraded through community consensus. Multiple proposals, including BIP-360 and Chaincode's dual-track approach, outline pathways to integrate post-quantum cryptography. The Bitcoin community is actively researching and preparing these upgrades.

When will Bitcoin need quantum-resistant cryptography?

Most experts estimate that cryptographically relevant quantum computers are at least 10 to 20 years away. Bitcoin developers are working on post-quantum solutions now to ensure the upgrade path is ready well before the threat materializes. The key challenge is balancing new signature sizes with Bitcoin's block space constraints.

How Bitcoin Can Defend Against Quantum Computing: BIP-360, Post-Quantum Cryptography, and the Road Ahead

Glenn Cameron | Global Head, Onramp Institutional

Mar 7, 2026

How Bitcoin Can Defend Against Quantum Computing: BIP-360, Post-Quantum Cryptography, and the Road Ahead

The quantum threat to Bitcoin is real but distant. The defense is already being built. Here is what post-quantum cryptography is, how it can be integrated into Bitcoin, what the major proposals look like, and why the hardest part is not the math but the coordination.

The question most people ask about quantum computing and Bitcoin is "when will it be a threat?" The honest answer: not for a long time. Most credible estimates place a cryptographically relevant quantum computer (CRQC) at least 10 to 15 years away, with many researchers projecting 20 years or more. Current quantum hardware is multiple orders of magnitude below the threshold needed to threaten Bitcoin's cryptography. This is a future problem, not a present emergency.

But it is a future problem worth preparing for, and for Bitcoin's developer community, the more urgent question has been "what do we do about it, and how do we avoid doing it badly?" The cryptographic tools to defend Bitcoin against quantum attacks already exist. The challenge is deploying them across a decentralized network where no single entity can mandate an upgrade, and where every change to the protocol carries consequences that last forever. The good news is that Bitcoin has at least 5 years, and probably closer to 10, to get this right.

What Post-Quantum Cryptography Actually Is

Post-quantum cryptography (PQC) refers to cryptographic algorithms that are designed to be secure against both classical and quantum computers. These are not quantum algorithms. They run on regular computers. They simply use mathematical problems that quantum computers cannot solve efficiently.

Bitcoin currently relies on elliptic curve cryptography (ECC) for digital signatures, specifically ECDSA over the secp256k1 curve. ECC is vulnerable to Shor's algorithm on a sufficiently powerful quantum computer because the underlying mathematical problem (the elliptic curve discrete logarithm problem) can be solved efficiently by quantum algorithms.

PQC replaces the underlying mathematical problem with one that resists quantum attack. The most prominent approaches include lattice-based cryptography, which relies on the difficulty of finding short vectors in high-dimensional lattices, and hash-based cryptography, which relies only on the security of hash functions, something Bitcoin already depends on extensively.

The National Institute of Standards and Technology (NIST) has been running a multi-year standardization process to evaluate and formalize PQC algorithms. In August 2024, NIST finalized its first three post-quantum standards: ML-KEM (for key encapsulation), ML-DSA (formerly CRYSTALS-Dilithium, for digital signatures using lattice-based math), and SLH-DSA (for digital signatures using hash-based math). A fifth algorithm, HQC, was selected in March 2025. These standards have undergone years of rigorous testing and peer review.

PQC is not theoretical. It is already deployed across significant portions of the internet. Recent versions of OpenSSH and OpenSSL ship with PQC as the default encryption method. Web browsers and content delivery networks have integrated PQC. Significant portions of global internet traffic are already quantum-safe. The broader technology world is moving, and moving ahead of the threat.

Why Integrating PQC Into Bitcoin Is Harder Than Everywhere Else

If PQC is already deployed across the internet, why has Bitcoin not adopted it yet? The answer is that Bitcoin operates under constraints that do not exist in traditional internet applications.

Bitcoin blocks have limited space. Every transaction must fit within a block, and blocks are produced approximately every 10 minutes. Today's Bitcoin signatures are compact. ECC signatures are roughly 72 bytes. Many post-quantum signature schemes produce signatures that are dramatically larger, sometimes 10 to 50 times bigger. Lattice-based signatures like ML-DSA produce signatures of roughly 2,420 bytes. Hash-based schemes vary but are generally larger as well.

The direct consequence: bigger signatures mean fewer transactions per block. Fewer transactions per block mean higher fee pressure during busy periods. Higher fees mean worse user experience and potentially more reliance on batching, layer-2 solutions, or custodial services. Deploying PQC in Bitcoin is not just a security upgrade. It is a fundamental change to the economics of block space.

Bitcoin Script, the virtual machine that processes transactions, is also constrained by consensus limits on data and compute resources. Any PQC implementation must be efficient enough to operate within these limits without requiring dramatic changes to Bitcoin's architecture.

Additionally, PQC must integrate with existing custody practices: hierarchical deterministic (HD) wallets, hardware signing devices, and the broader ecosystem of exchanges, custodians, and financial services that interact with the Bitcoin protocol. A PQC upgrade that breaks compatibility with existing wallet infrastructure creates its own migration crisis.

These constraints are why no PQC proposal has yet achieved consensus within the Bitcoin developer community. It is not because the problem is unsolvable. It is because the tradeoffs are significant and the consequences of choosing poorly are permanent.

BIP-360: The Leading Proposal

BIP-360, recently updated and merged into the Bitcoin Improvement Proposal GitHub repository, proposes a new output type called Pay-to-Tapscript-Hash (P2TSH). The design is nearly identical to Taproot, but with one critical difference: it removes the key-path spend, which is the component that exposes a tweaked public key in Taproot outputs.

By eliminating the key-path spend, P2TSH removes the most direct quantum vulnerability in Taproot while preserving the script-path functionality that makes Taproot useful. It is a pragmatic step that reduces exposure and buys optionality without requiring the Bitcoin community to immediately commit to a specific PQC signature algorithm.

BIP-360 is not the final answer to quantum resistance. It is a structural improvement that makes Bitcoin's address architecture more compatible with future PQC integration. Think of it as building the foundation before choosing the walls.

The proposal has generated active discussion within the developer community, but it has not yet achieved the level of consensus needed for activation. Each aspect of the design involves tradeoffs that different stakeholders evaluate differently.

The Chaincode Dual-Track Strategy

A May 2025 research report from Chaincode Labs proposed what may be the most pragmatic framework for thinking about the quantum defense timeline: a dual-track strategy.

Track 1: Contingency (approximately 2 years). This is the minimum viable protection path. It includes near-term measures that can be deployed relatively quickly to buy time, even if they are not the permanent solution. Key elements include commit-delay-reveal migration patterns (where you publish a commitment to move coins without revealing the vulnerable public key, wait for deep confirmation, then reveal and move), wallet and policy defaults that reduce avoidable exposure (no address reuse, xpub protection), and emergency-safe migration tools.

These are not glamorous innovations. They are operational hygiene scaled to a protocol level. Their value is that they can be deployed before the community reaches consensus on a comprehensive PQC solution.

Track 2: Comprehensive (approximately 7 years). This is where Bitcoin does the hard work of choosing, implementing, and deploying a post-quantum signature scheme that is secure, efficient enough for Bitcoin's block space constraints, compatible with the existing ecosystem of wallets and hardware devices, and maintainable over the long term.

The comprehensive track must also solve the migration question: how do you get millions of holders, thousands of wallets, hundreds of exchanges, and dozens of hardware manufacturers to move Bitcoin from old address formats to new ones? This is a coordination problem at least as difficult as the cryptographic one.

The point of the dual-track framework is not to predict when quantum becomes dangerous. It is to avoid being cornered into a rushed, bad upgrade if the timeline compresses faster than expected. The contingency track buys time. The comprehensive track uses that time wisely.

Other Proposals and Enablers

BIP-360 and the Chaincode dual-track are not the only work underway. OP_CAT, a proposed reintroduction of an opcode that concatenates stack items in Tapscript, could expand what is feasible inside Bitcoin Script and support certain quantum mitigation constructions. OP_CAT does not make Bitcoin quantum-resistant on its own, but small script primitives can unlock whole classes of security designs that were previously impractical.

Taproot itself, while it introduces a public key exposure that needs addressing, provides the script-path flexibility that enables smarter spend-path design as part of a broader mitigation toolkit. And BTQ Technologies has already demonstrated a working Bitcoin implementation using ML-DSA (lattice-based) signatures to replace ECDSA in their Bitcoin Quantum Core Release 0.2, proving that the technical migration is feasible even if the consensus question remains open.

The Bitcoin developer community is not waiting for a single silver-bullet solution. Multiple proposals are being explored in parallel, each with different tradeoffs, and the eventual path forward may incorporate elements from several of them.

The Signature Size Problem

The most uncomfortable tradeoff in any PQC upgrade is the impact on block space.

Bitcoin's current ECC-based signatures are remarkably compact. A standard ECDSA signature is roughly 72 bytes. A Schnorr signature (used in Taproot) is 64 bytes. These compact signatures are part of what makes Bitcoin's base layer functional at scale.

Post-quantum alternatives are significantly larger. Lattice-based signatures like ML-DSA are roughly 2,420 bytes. Hash-based signatures vary depending on the scheme, but many are in the range of several hundred to several thousand bytes. Even the most optimized proposals are many times larger than what Bitcoin uses today.

This is not a solvable problem in the traditional sense. It is a tradeoff that must be managed. Moving too early with a bulky signature scheme could permanently reduce Bitcoin's base-layer throughput. Moving too late could leave the network exposed. The engineering challenge is finding the right scheme at the right time, and the right time depends on quantum progress that no one can predict with certainty.

Blockstream Research published an analysis in December 2025 noting that hash-based signatures are particularly compelling for Bitcoin because the network already relies on the security of hash functions. This alignment reduces the number of new cryptographic assumptions Bitcoin would need to adopt. Ongoing discussions around statefulness tradeoffs and optimization continue.

The Governance Challenge: Burn vs. Steal

Even if the Bitcoin community reaches consensus on a PQC implementation and successfully deploys quantum-safe addresses, a hard question remains: what happens to coins that are not migrated?

Some Bitcoin will never be migrated to quantum-safe addresses. Lost coins, including Satoshi's estimated 1.1 million BTC in P2PK format, cannot be moved because no one has the private keys. Other holders may be inactive, unreachable, or simply slow to act. When a CRQC eventually arrives, these coins become vulnerable to theft.

Two philosophical camps have emerged.

Freeze (burn) vulnerable coins. After a clearly communicated migration deadline, change the consensus rules so that coins in legacy quantum-vulnerable address types become permanently unspendable. This prevents theft but permanently removes those coins from circulation. Proponents argue this is better for Bitcoin than allowing a quantum attacker to claim billions in dormant coins. Critics argue it sets a dangerous precedent: if Bitcoin can freeze coins once, the justification to do it again will always exist.

Accept theft (valid signature wins). Keep the bearer-asset principle intact. If someone can produce a valid signature, they can spend the coins, regardless of how they obtained the key. This preserves protocol purity but normalizes quantum theft as an outcome and could trigger a massive redistribution of Bitcoin supply that shocks the market.

Both paths are socially contentious. The debate is not primarily technical. It is philosophical, touching on the deepest questions about what Bitcoin is and what properties it must preserve. This discussion will likely intensify as quantum computing advances through the stages outlined in the Ark Invest/Unchained framework.

The good news is that this governance question is separable from the PQC implementation question. The community can deploy quantum-safe addresses without resolving the burn vs. steal debate immediately. The two issues are frequently conflated, and disentangling them may be necessary for progress on either front.

What This Means for Holders

If you are holding Bitcoin for the long term, the practical takeaway is straightforward: the defense exists, the community is working on it, and the timeline is measured in years to decades, not months.

The most important thing you can do now is ensure your custody infrastructure is positioned to execute a migration when the time comes. Holders in institutional custody arrangements will have the migration coordinated across all key-holding institutions by professionals managing the process. Self-custody holders will need to generate new keys, create new addresses, and move funds manually across every signing device.

Neither approach is inherently better. But the operational complexity is different, and understanding that difference before a migration is necessary is far better than discovering it under pressure.

When the cryptographic landscape evolves, your custody infrastructure needs to evolve with it. Onramp's multi-institution custody is built to coordinate key migrations, address-type upgrades, and UTXO management across three independent institutions, so the transition happens smoothly and your Bitcoin stays secure. Schedule a consultation to learn how the architecture works, or sign up here to get started.

Which Bitcoin Is Vulnerable to Quantum Computing? Address Types, Exposure Tiers, and What You Can Do

Quantum Computing and Bitcoin: Separating Hype From Reality

What Is Bitcoin Custody? A Complete Guide for Long-Term Holders

What Is Multi-Institution Bitcoin Custody? A Bitcoin Custody Explainer

What Happens to My Bitcoin if Onramp Goes Away?