Bitcoin has survived more than fifteen years of skeptics, forks, and market crashes. The next challenge comes from Quantum computing - an active engineering race. And the first developers are already writing Bitcoin's response. In February 2026, BIP-360 was published as a draft proposal, a focused attempt to harden Bitcoin outputs against one specific class of quantum attack. This article explains what BIP-360 is actually trying to do, how serious the threat is, and what all of this means for your Bitcoin holdings.
Key Takeaways
- Right now, no quantum computer can touch Bitcoin. But the math that protects it has a known weakness, and the time to address it is before the hardware catches up.
- The real risk is public keys that stay visible on-chain for years, not quantum computing in general.
- About 1.92 million BTC are structurally exposed by design, including most early Satoshi-era coins. Another 4.12 million BTC are exposed through address reuse.
- BIP-360 proposes a new address format that closes that risk without rebuilding the Bitcoin network.
- For most people holding Bitcoin, nothing urgent needs to be done today, but understanding the risk is the starting point.
The Quantum Clock Is Running
Quantum computing is not a hypothetical idea. It is the progress that usually comes with the transition problem for the digital world, because the public-key systems that secure websites, software, identity systems, financial infrastructure, and encrypted communications are on the same level as Bitcoin. In that sense, Bitcoin is not a special case so much as a very visible one.
In many systems, exposed public keys are transient or harder to inspect at scale. On Bitcoin, by contrast, public keys can remain visible on-chain for years, which gives future attackers time to harvest them now and attempt key recovery later once hardware improves. That is the logic behind "long-exposure risk".
Bitcoin's security relies on Elliptic Curve Digital Signature Algorithm, or ECDSA. When a wallet controls Bitcoin, it holds a private key, and a public key is derived from it. With today's computers, knowing the public key does not make it practical to recover the private key.
Quantum computers threaten that assumption. A sufficiently powerful quantum machine running Shor's algorithm could, in theory, derive a private key from an exposed public key and get the funds. The important qualifier is "sufficiently powerful." That machine does not exist today. The concern is long-term preparedness, not an immediate break of Bitcoin.
This is also why BIP-360, a published proposal in February 2026 that we will discuss later, is framed as a first step in solving this complex problem.
How Far Away Is the Quantum Threat?
The timing is still the hard part. Nobody can say exactly when a cryptographically relevant quantum computer will arrive, and the estimates vary a lot because they depend on the architecture, the error-correction model, and how much hardware overhead is assumed.
Project Eleven's April 2026 result is a good example of why caution matters. The group framed it as a 15-bit ECC recovery on public quantum hardware. At the same time, former Bitcoin Core maintainer Jonas Schnelli argued that the output was indistinguishable from noise and that the key was effectively recovered by a classical checker rather than by a meaningful quantum signal. In other words, even this much-cited example remains controversial and does not come close to demonstrating a Bitcoin-scale break.
The more important development is theoretical rather than experimental. Google's March 2026 Quantum AI whitepaper estimates that solving the 256-bit elliptic-curve discrete logarithm problem could require either 1,200 logical qubits and 90 million Toffoli gates or 1,450 logical qubits and 70 million Toffoli gates. In plain terms, that means the attack would still need a large error-corrected quantum computer, likely built from fewer than 500,000 physical qubits. Even so, Google says such a machine could recover a private key in roughly 9 to 12 minutes, which is uncomfortably close to Bitcoin's 10-minute block interval.
A separate Caltech and Oratomic analysis suggests that Shor's algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits, though runtime depends heavily on architecture and parallelism. Their own report says a P-256 discrete-log attack could take just a few days with about 26,000 physical qubits in the neutral-atom design they analyze.
P-256, also known as secp256r1 or prime256v1, is a widely used NIST elliptic curve. NIST, the U.S. National Institute of Standards and Technology, is the federal agency that develops measurement and cryptography standards used across government and industry. Bitcoin uses secp256k1, a different curve in the same family, so progress against one would be a serious warning for the other.
The important point is that this is no longer a far-off academic question. The US government's CNSA 2.0 guidance sets a migration away from elliptic curve cryptography for federal systems by 2035, which shows that major institutions are already planning for a post-quantum transition. Some reports also suggest that a capable quantum computer could arrive as early as 2030 under optimistic roadmaps, though that remains uncertain. Taken together, those signals point to a planning horizon measured in years, not decades.
Which Bitcoin Is Quantum-Exposed?
Not all Bitcoin carries the same level of risk. The difference depends on whether the public key is already visible on-chain. Depending on how "exposure" is defined, various on-chain analyses converge on roughly 6.9 million BTC, or around one-third of total supply, whose public keys are already exposed or routinely exposed through reuse patterns.
Glassnode's May 2026 report separates Bitcoin's quantum exposure into two layers. The first is structural exposure, where public keys are already visible on-chain by design. The second is operational exposure, where coins become vulnerable because of address reuse and custody practices.
Structural exposure accounts for 1.92 million BTC, or 9.6% of issued supply, while operational exposure totals 4.12 million BTC, or 20.6%. Exchange-related balances make up 1.63 million BTC of that second bucket, showing how much of the risk still depends on wallet hygiene.
That distinction matters because structurally exposed coins are a permanent target regardless of holder behavior, while operationally exposed coins can be protected by moving them or changing how addresses are used.
What BIP-360 Actually Proposes
Still being worked on, the BIP-360 proposal points to a new Bitcoin output design that could help reduce long-exposure quantum risk by removing Taproot's key-path spend surface. The proposal introduces Pay-to-Merkle-Root, or P2MR, which keeps spending conditions hidden until the coins are used.
Taproot, which went live in November 2021, improved privacy, scalability, and smart-contract efficiency by hiding unused script conditions on-chain, though key-path spends still rely on a visible public key. BIP-360 does not replace Bitcoin's current signature scheme, and it does not solve every quantum attack scenario. If adopted, it would give Bitcoin a quantum-hardened output format for new coins, not a universal fix.
Compared with Taproot, P2MR is the more cautious design. It keeps the script-tree approach but removes the part that leaves Bitcoin most exposed over time, offering a way to reduce quantum risk without reinventing the system. The difference becomes easier to see when you look at Bitcoin's address formats.
Bitcoin's earliest years, from 2009 to 2010, were shaped by Pay-to-Public-Key, or P2PK, before the network moved quickly to the more widely used Pay-to-Public-Key-Hash, or P2PKH. The sharp changes visible in 2017 and 2021 align with the arrival of SegWit and Taproot, two upgrades that changed how Bitcoin transactions are built. The rise of P2WPKH and P2TR shows how the ecosystem steadily embraced newer, more efficient address formats.
When you look at Bitcoin's address formats side by side you will see that some types of addresses reveal public keys right away, others hide them until a spend takes place.
P2MR addresses will begin with "bc1z", a new prefix under SegWit version 2. BTQ Technologies has already deployed a working Bitcoin Quantum testnet implementing full P2MR rules in a controlled environment, giving developers and researchers a place to evaluate quantum-safe transaction tools while BIP-360 remains a draft.
What makes BIP-360 interesting is not just what it changes, but what it signals. Bitcoin developers are starting to treat quantum risk as a design problem, not just a distant theory.
What BIP-360 Does Not Solve
BIP-360 is intentionally narrow. It addresses long-exposure attacks on script-tree outputs, but it does not solve Bitcoin's quantum problem end to end.
First, it does nothing for legacy P2PK outputs, including many early-era coins. Those public keys are already on-chain, and BIP-360 does not migrate, freeze, burn, or otherwise alter those UTXOs. Questions about vulnerable old coins and supply-shock mitigation are outside its scope.
Second, it does not solve short-exposure attacks. Most Bitcoin spends still require revealing a public key while a transaction waits in the mempool, and a fast enough quantum computer could in principle recover that key in time to broadcast a competing spend. The BIP notes that this kind of protection may need post-quantum signatures in a future proposal.
Third, BIP-360 leaves SHA-256 and Bitcoin's proof-of-work system unchanged. In other words, it focuses on public-key exposure, not on rebuilding the network's hashing layer. As a soft fork, it would add new rules without forcing a radical change.
How Long Will This Take?
Honestly, do not hold your breath. Bitcoin upgrades are often slow, and that is by design. Since BIP-360 is still just a draft proposal, you won't see "bc1z" addresses in your favorite wallet app anytime soon. We can pretty much map out how this might play out by looking at Bitcoin's history.
Take SegWit, for example. The idea started gaining shape around 2015, but it took two full years of political fighting and a massive user-led movement to finally push it across the finish line when it activated in August 2017. Taproot upgrade had a much easier time, but even that wasn't fast. People started talking about it in 2018, miners didn't lock it in until mid-2021, and it finally went live that November.
BIP-360 has to climb that exact same mountain. Every part of the industry, from core devs and miners to exchanges, wallet builders, and hardware companies, has to get on page one. If everyone does fall into line, we might start to see widespread use towards the end of the decade. But at the end of the day, Bitcoin only moves as fast as its community allows it to.
What Should Bitcoin Holders Do Now?
For most holders, the immediate answer is not panic. Current hardware is nowhere near able to carry out these attacks against Bitcoin in practice, and the BIP itself presents P2MR as a preparatory option rather than an emergency response.
Still, the proposal gives a clearer practical message than "wait and see." Protection against long-exposure attacks depends heavily on wallet hygiene. The BIP says users should avoid exposing public keys through reuse or other unsafe practices, and it explicitly notes that extended public keys, or xpubs, and wallet descriptors also reveal quantum-vulnerable public-key information.
That leads to a more useful checklist for holders:
- Avoid address reuse. Once a public key has been revealed, any remaining balance or later deposit to that same address becomes a long-exposure target.
- Be cautious with Taproot outputs for very long-term cold storage. The key-path surface is the exact exposure BIP-360 is trying to remove.
- Limit unnecessary sharing of xpubs and wallets, because they also reveal quantum-sensitive public-key data.
- Watch for "bc1z" support in wallets and custody systems. If P2MR is adopted, updated software will be needed to receive and validate those outputs.
- Keep an eye on wallet providers, as they work on quantum-related protections and guidance for users.
For advanced users, multisig operators, and custodians, the immediate task is inventory. It matters how much BTC is held in P2PK, Taproot, or reused formats, because each has a different long-term exposure profile. The BIP also suggests that migration from existing Taproot script trees to P2MR would be relatively straightforward, while wallets that use only Taproot key-path spends would need to shift toward script-tree constructions.
The Bigger Picture
BIP-360 proposal is the first step rather than Bitcoin's final answer to the quantum threat. It removes one specific quantum weakness from one new output type while preserving room for future signature upgrades and keeping the social and technical footprint relatively small.
The proposal also sits inside a wider debate about how blockchains should respond to quantum risk. There are plenty of more aggressive ideas out there, but they usually come with massive tradeoffs. Others lean on major protocol-level restructuring. For example, Vitalik Buterin recently expanded on Ethereum's defenses by publishing a post-quantum roadmap on X. His plan involves a multi-year, four-step transition to swap out core cryptographic layers - a massive engineering effort designed to stay ahead of vulnerabilities that could emerge before the end of the decade. However, this level of constant protocol upgrade and complex cryptography is exactly what Bitcoin's decentralized community strongly resists.
Even when other networks try to implement full quantum security, the real-world results are quite heavy. According to a test report released by BNB Chain, upgrading to post-quantum signatures kept everything working, but transaction speeds dropped by roughly 40% as transaction data ballooned in size.
When you look at it that way, BIP-360 is slow, gradual approach is a wise strategy, not a lack of ambition. By addressing the most urgent gap first, Bitcoin avoids crushing the network under heavy code before it's absolutely necessary. It may not be a quick fix, but it fits perfectly with how Bitcoin has always evolved - cautiously, and without breaking what already works.
The information provided by DAIC, including but not limited to research, analysis, data, or other content, is offered solely for informational purposes and does not constitute investment advice, financial advice, trading advice, or any other type of advice. DAIC does not recommend the purchase, sale, or holding of any cryptocurrency or other investment.
