Bitcoin may take 7 years to upgrade to post-quantum: BIP-360 co-author

Seven years. That’s how long Bitcoin researcher and BIP-360 co-author Ethan Heilman estimates it would take for the blockchain to migrate to full quantum resilience if it started tomorrow. 

And he says that’s an optimistic forecast, based on everyone agreeing on the roadmap.

“Three years until it activates. This assumes two and a half years to get the BIPs done and the code reviewed and tested. Assuming everyone wants it, half a year to activate,” he tells Cointelegraph.

Every Bitcoin holder will need to migrate their funds to new quantum-safe addresses — a huge undertaking that could take months, or even years, given that the blockchain typically runs at 3-10 transactions per second.

Heilman says it will also take considerable time for wallets, custodians, payment processes, Lightning Network nodes, and treasury management software to upgrade.

“Likely, some future forward parties will have prepared to upgrade while the softfork was activating. If we are lucky, 90% will have updated five years after activation. The bigger the perceived danger, the faster this will happen.”

“Seven years total, but I’m just spitballing here. No one actually knows.”

He points out that timelines would accelerate “much faster” if there were a quantum breakthrough, but it’s still a mammoth task.

“The main reason I’m working on this now is that I could see this process taking many years. The more we can get done now, the more time we will have when we have to move quickly.”

Seven years may put Bitcoin in the quantum danger zone

That long lead time could put Bitcoin firmly in the danger zone — and despite the updated BIP-360 proposal being merged for consideration last week, it’s only the first and easiest step toward post-quantum Bitcoin, and it’s still a long way off activation.

Caltech president Thomas Rosenbaum recently suggested that quantum computers could emerge during that period. “We will, I believe, create a functioning, fault-tolerant quantum computer in five to seven years,” he reportedly said during a public discussion.

Founding director of the Quantum Information Center at the University of Texas at Austin, Professor Scott Aaronson, said in November that it could happen even faster:

“Given the current staggering rate of hardware progress, I now think it’s a live possibility that we’ll have a fault-tolerant quantum computer running Shor’s algorithm before the next US presidential election.”

Some Bitcoiners dismiss the possibility out of hand, arguing that no one has used Shor’s Algorithm on a quantum computer to factor a number larger than 15. And Blockstream’s Adam Back may well be proven correct in his prediction that a quantum computer able to reverse engineer Bitcoin’s private keys could still be decades away.

Upgrading Bitcoin to post-quantum is achievable

The good news is that, from a technical perspective, making Bitcoin quantum-resistant is easier than doing the same for Solana or Ethereum. Every coin on Solana has its public key exposed by default — theoretically enabling the private key to be reverse engineered — and the majority of Ethereum is also at risk, while only a third of Bitcoin has public keys exposed.

The consensus mechanisms of those two chains will also be immediately threatened, unlike Bitcoin’s Proof-of-Work, which faces a much more distant risk.

But Ethereum has formed a post-quantum team. It has community support for a plan to overhaul the entire chain by 2029. Solana has already experimented with post-quantum signatures and has a track record of speedy upgrades, including taking its Alpenglow consensus overhaul from idea to testnet in under a year.

Bitcoin’s big challenge will be to reach consensus on the path ahead, particularly on hard choices about potentially increasing block sizes or implementing zero-knowledge proofs to address post-quantum signatures that are at least 10 times larger than those Bitcoin currently uses. The alternative is seeing the blockchain slow to a fraction of 1 TPS.

And the most heated debate may be about what to do with Satoshi’s coins, which cannot be upgraded to post-quantum without Satoshi’s keys. Freeze them forever, thereby undermining sacrosanct private property rights, or let them be stolen and dumped back on the market?

Bitcoiners are still having a civil war over the downstream effects of the Taproot upgrade five years on. The chance of reaching an agreement anytime soon seems remote, as it involves a mammoth overhaul of fundamental parts of Bitcoin that many hold sacred.

bUt qUaNtuM is jUsT bITcOin fUd!

Many Bitcoiners treat the quantum threat as FUD, similar to claims about Bitcoin’s electricity use and environmental impact, which are no longer major issues after Bitcoiners successfully argued that Bitcoin can incentivize renewable energy.

While the quantum threat to Bitcoin is very real, the time frame is hotly contested.

We’ve known since 1994 that sufficiently advanced quantum computers can reverse engineer private keys from public keys using Shor’s algorithm. 

Progress on quantum computers suddenly accelerated at the end of 2024 after Google’s Willow chip demonstrated scalable quantum error correction for the first time. Antonio Sanso, from Ethereum’s post-quantum team, says the key theoretical obstacles to developing quantum computers relevant to cryptography have already been overcome.

“There are not a lot of theoretical issues at the moment,” he tells Magazine. “At the moment, it’s an engineering problem. It’s going to be solved for sure.” Sanso believes it’s likely to occur around 2035, a time frame that NIST has also said is a realistic prospect.

The rapid advances in zero-knowledge proofs and artificial intelligence over the past three years have demonstrated that science fiction concepts are fast becoming reality. AI has also led to breakthroughs inerror-correctiondecoders, such as Google DeepMind’s AlphaQubit, and is helping todiscover better materials for physical qubits, which could shorten the timeframe.

Qubits required to break Bitcoin keep dropping

As our scientific understanding grows, the number of qubits required to break encryption keeps dropping. Five years ago, scientists assumed that tens of millions of physical qubits would be required to break 2048-bit RSA encryption with Shor’s algorithm. In 2025, Google researchers revised that down to 900,000 physical qubits.

On the weekend, a preprint scientific paper called ‘The Pinnacle Architecture’ suggested that breakthroughs in “practical low overhead fault-tolerant architectures” meant “that 2048-bit RSA integers can be factored with less than one hundred thousand physical qubits” in around one month.

Professor Aaronson says the research is plausible and added that Bitcoin’s “elliptic curve cryptography is likely to fall to quantum computers a bit before RSA” because it uses “256-bit keys rather than 2,048-bit keys, and Shor’s algorithm mostly just cares about the key size.”

The largest experimental array built to date was a team from Caltech’s 6100 neutral-atom qubits last year. There are also huge problems to solve in error correction before a 100,000-qubit physical computer is possible.

But Q Day — the moment a quantum computer can break encryption — is growing nearer.

BIP-360 is the first step toward post quantum security

Heilman, Hunter Beast and Isabel Foxen Duke coauthored an updated version of BIP-360. It was merged into GitHub for official consideration last week.

It’s a “conservative first step” towards quantum resistance, the proposal states, a soft fork for a new Bitcoin output type (the method by which coins are spent) that is both quantum resistant and simple to upgrade to support a post-quantum signature algorithm.

The new output type is called Pay-to-Merkle-Root (P2MR), and it’s an upgraded version of P2TR (Taproot) that hides the public key and removes a quantum-vulnerable key path. The P2TR output will continue to exist, so it’s an addition, not a replacement.

“BIP 360 is step one, it proposes a quantum-resistant output type that has the upgradability and features of P2TR without the quantum vulnerability,” Heilman tells Magazine.

“If we want full quantum safety, we also need to do step two and adopt a post-quantum signature algorithm; this will require additional BIPs and work beyond BIP 360.”

The advantage of BIP-360 is that it’s a minimal change that’s backward compatible — nodes that haven’t been upgraded and don’t recognize the new output type will just ignore it.

The disadvantage of BIP-360 is that it only protects these outputs from long-range attacks — meaning when a quantum attacker has plenty of time to crack the encryption, as with the Satoshi coins.

It doesn’t protect it from short-range attacks, which will likely become possible once quantum computers are sufficiently advanced. Every time you spend Bitcoin, the public key goes into the mempool, and, in theory, an attacker could crack the private key before the transaction is processed.

Heilman explains that the way to protect against short-range attacks is by adding post-quantum signature algorithms as opcodes in Bitcoin tapscript. “This will also be done via a soft fork, but it will be a significantly larger amount of code added to wallets,” he says.

Post-quantum signatures are 10 to 100 times larger, so adding them would slow the blockchain to a crawl. Bitcoin may need to consider a witness discount, which reduces effective weight and fees but could enable spam, or larger block sizes to scale transactions, or zero-knowledge proofs to compress signatures.

Could Bitcoin join forces with Ethereum?

Ethereum’s post-quantum team already has a working prototype of technology that aggregates signatures for each block using hash-based ZK STARKs, enabling a single proof to be written to the chain. 

Researcher Justin Drake said on Unchained’s podcast that the PQ Team hopes Bitcoin will adopt it, making it the industry standard. The solution is “built with Bitcoiner security in mind. We’re trying to be as conservative as possible and not cutting any corners.”

He added that Ethereum researchers hope to collaborate more with Bitcoin researchers, and team members have already co-authored four post-quantum academic papers with Blockstream Research’s Mikhail Komarov.

“He’s a great guy, and I’m basically hoping that Mikhail can single-handedly be the bridge between the Bitcoin world and the Ethereum world.”

Check out part 2 of our Q DAY special tomorrow: “6 massive problems Bitcoin faces to become post quantum.”