Skip to main content

Bitcoin's $1.3T Quantum Clock: The 9-Minute ECDSA Break and BIP-360 Race to Save 6.9M BTC

· 11 min read
Dora Noda
Dora Noda
Software Engineer

Nine minutes. That is the window a 57-page Google Quantum AI paper says a future quantum computer would need to reverse-engineer a Bitcoin private key from an exposed public key — short enough to fit inside a single block confirmation, long enough to rewrite the risk profile of the entire $1.3 trillion network. The paper, co-authored with researchers from Stanford and the Ethereum Foundation and published on March 30, 2026, did something subtler than predict the apocalypse. It shrank the number that matters. The resources needed to break ECDSA dropped by a factor of 20 compared to prior estimates. Google now internally targets post-quantum migration by 2029.

Bitcoin does not get that long. Not if it wants to migrate gracefully. And the network's developers know it — which is why April 2026 has become the most consequential month for Bitcoin cryptography since SegWit activation. BIP-360 is live on testnet. A follow-up proposal to freeze legacy addresses is circulating in draft form. Adam Back, Jameson Lopp, and Bitcoin Core maintainers are splitting into camps that disagree not about whether the threat is real, but about who pays when the clock runs out.

The Exposure Map: 6.9 Million BTC, 34% of the Supply, and Satoshi's Coins

The Google paper's most quoted number is nine minutes. Its most unsettling number is 6.9 million. That is the upper bound on bitcoin supply whose public keys are already visible on-chain — meaning a quantum attacker does not need to race a transaction through the mempool. They can derive the private key at their leisure and spend the coins whenever they please.

The exposure comes in tiers:

  • Pay-to-Public-Key (P2PK) addresses: Roughly 1.7 million BTC, including more than 1.1 million BTC attributed to Satoshi Nakamoto's early-mined coinbase rewards. Public keys are stored directly in the scriptPubKey. Nothing hides them.
  • Reused addresses across all script types: When a P2PKH, P2WPKH, or Taproot address spends even once, its public key is revealed in the spending transaction. Researchers estimate this pushes the vulnerable supply well past 6 million BTC.
  • Dormant addresses: As of March 1, 2026, over 34% of the circulating supply has exposed public keys at some point. Coins that sat untouched for a decade are not safer — they are more exposed, because they cannot be rotated without revealing the key anyway.

This is the "harvest now, decrypt later" problem in its starkest form. Every address reuse from the past 15 years is already committed to the blockchain. There is no revoking it. The only defense is migration — moving coins to post-quantum address formats before a sufficiently powerful machine arrives.

BIP-360: Pay-to-Merkle-Root and the First Testnet Blocks

BIP-360, co-authored by Ethan Heilman and released in February 2026, is the first concrete Bitcoin Improvement Proposal to offer a forward-compatible address format. It introduces Pay-to-Merkle-Root (P2MR), which commits to a Merkle tree of possible signature schemes rather than embedding any single public key on-chain.

The elegance of P2MR is that it lets the network adopt quantum-resistant signatures without picking a winner today. A P2MR output can reveal a SLH-DSA (SPHINCS+) signature path at spend time, or a Falcon path, or a hybrid ECDSA-plus-post-quantum path. The public key is never written into the UTXO itself — only a commitment. Observers learn nothing about the signing key until the coin moves, and even then only the specific path used is disclosed.

On March 20, 2026, BTQ Technologies activated the first production deployment of BIP-360 v0.3.0 on a Bitcoin testnet. More than 50 miners joined the experiment, producing over 100,000 blocks under the new rules. The testnet is not Bitcoin mainnet, and activation is nowhere close. But it answered the question critics had raised for years: can P2MR actually handle the throughput and signature sizes? Initial results say yes, at a cost.

The Size Problem: 64 Bytes to 8 Kilobytes

Here is the engineering tax. A current ECDSA or Schnorr Bitcoin signature is 64 bytes. The NIST-standardized post-quantum alternative, SLH-DSA (formerly SPHINCS+, finalized as FIPS 205 in August 2024), weighs in at roughly 8 kilobytes per signature. That is a 125-fold increase.

Block space is zero-sum. A Bitcoin block's weight limit does not move just because signatures grew. If every signature became 8 KB overnight, effective transaction throughput would collapse by more than two orders of magnitude, and fee markets would price out all but the highest-value transfers. This is not a minor UX issue — it is the reason Bitcoin has not already migrated.

Two research directions are trying to solve the tax:

  • SHRIMPS and SHRINCS: Stateless hash-based schemes that retain SPHINCS+ security guarantees while targeting signature sizes closer to 2 KB.
  • Falcon-family lattice signatures: Smaller than SPHINCS+ (around 700 bytes) but carry more assumptions about the hardness of lattice problems — a different risk profile than the pure hash-based family.
  • Commit/reveal schemes using existing Bitcoin Script: Cleverly encode post-quantum commitments today at roughly $200 per transaction cost, without any protocol upgrade. Expensive, but available right now for high-value cold storage.

No single option is obviously correct. BIP-360's Merkle-commitment design is a hedge against having to pick.

BIP-361: The Proposal to Freeze Satoshi's Coins

On April 14, 2026, Jameson Lopp and five co-researchers submitted a draft of BIP-361 — "Post Quantum Migration and Legacy Signature Sunset" — to the Bitcoin BIPs repository. It is the most politically explosive Bitcoin proposal since the 2017 block size wars, and it is structured in three escalating phases:

  • Phase A (activation + ~3 years): New transactions may no longer send funds to legacy quantum-vulnerable address types. Coins can still leave vulnerable addresses, but wallets and services are pushed toward P2MR by default.
  • Phase B (activation + ~5 years): The consensus layer invalidates all legacy signatures. Any coin not migrated by this block height becomes unspendable. Frozen.
  • Phase C (under research): A limited recovery mechanism using zero-knowledge proofs tied to BIP-39 seed phrases. Users could prove ownership of frozen UTXOs without revealing private keys, but only if they still control the original seed. Lost-seed coins stay lost.

The arithmetic is stark. Phase B would freeze 170,000 BTC locked in P2PK scripts and roughly 1.1 million BTC attributed to Satoshi. At $95,000 per BTC, that is more than $120 billion in coins sunsetted by consensus — the largest forced expropriation of private property in the history of any digital network.

The Split: Adam Back vs. Lopp, Ideological Purity vs. Adversarial Thinking

The community response arrived within hours and split along predictable fault lines.

Against the freeze:

  • Adam Back publicly advocated for optional post-quantum upgrades with no forced sunset, arguing that freezing coins violates Bitcoin's core promise of permissionless possession.
  • Marty Bent (TFTC) called the proposal "ridiculous."
  • Bitcoin Magazine's Brian Trollz rejected it outright.
  • Phil Geiger (Metaplanet) summarized the opposition: "We have to steal people's money to prevent their money from being stolen."

For the freeze:

  • Lopp framed the draft as "adversarial thinking about potential future threats," noting he does not currently believe the measures need immediate activation.
  • Institutional custodians quietly support the sunset, because any surviving pre-quantum coin pool becomes a permanent systemic risk — a giant honeypot that quantum attackers can target without time pressure.

The philosophical disagreement is real. Bitcoin's promise was that coins cannot be seized by fiat. BIP-361 inverts that: coins can be seized by inaction. Opponents argue that allowing lost/dormant coins to be stolen by a future quantum attacker is simply the cost of the original promise. Proponents argue that waiting for the theft would legitimize a precedent Bitcoin cannot survive.

The 7-Year Runway and What Happens if Migration Stalls

Ethan Heilman, BIP-360's co-author, estimates a full migration takes at least seven years even if initiated immediately. The timeline breaks down roughly as:

  • Year 1: BIP-360 mainnet activation and wallet support rollout.
  • Years 2–3: Exchange, custodian, and merchant integration. Hardware wallet firmware updates with post-quantum signing paths.
  • Years 4–5: Consensus-level enforcement of Phase A restrictions, if BIP-361 or a successor is adopted.
  • Years 6–7: Legacy signature sunset, frozen address resolution, recovery mechanism deployment.

Google's internal 2029 deadline sits inside that window. Bernstein analysts expect a 3–5 year transition before quantum becomes operationally relevant. Ark Invest argues the threat is long-term, not imminent. The gap between "not imminent" and "7-year migration" is where Bitcoin governance will spend the rest of the decade.

Cross-Chain Comparison: Ethereum, Solana, and the Quantum-Native Upstarts

Bitcoin is not the only chain racing the same clock, but it is the one with the most constrained governance.

  • Ethereum: Vitalik Buterin published a post-quantum roadmap in February 2026. EIP-8141 introduces a "frame transaction" envelope that carries both ECDSA and post-quantum signatures simultaneously, allowing accounts to migrate signature types without changing addresses. Quantum-resistant signatures cost up to 66 times more gas, requiring batching solutions to stay economically viable. The Ethereum Foundation targets full quantum resistance before 2030.
  • Solana: In December 2025, the Solana Foundation partnered with Project Eleven to launch a testnet replacing every Ed25519 signature with CRYSTALS-Dilithium. Initial measurements sustained roughly 3,000 TPS, though earlier independent tests had reported throughput degradation of up to 90% with signatures 40 times larger. Firedancer, Jump Crypto's alternative validator client, supports multiple signature backends, making Solana quantum-migration-capable before Ethereum finalizes EIP-8141.
  • Quantum-native L1s: Circle Arc, Algorand, and several newer chains launched with post-quantum primitives from genesis, skipping the migration problem entirely. Their marketing pitch in 2027 will write itself.

Bitcoin's disadvantage is not technical — it is political. Ethereum has a Foundation. Solana has Anza and the Firedancer team. Bitcoin has Core maintainers and a rough consensus model that took almost four years to ship Taproot, a far less controversial upgrade.

What This Means for Builders and Holders

Three practical implications stand out for anyone building on or holding Bitcoin today:

  1. Cold storage practices matter more than ever. Address reuse has always been a privacy anti-pattern. It is now a cryptographic risk. Fresh addresses per transaction buy time even before BIP-360 activates, because unspent P2WPKH and Taproot outputs with never-revealed public keys remain safe under the "harvest now, decrypt later" model until they are spent.
  2. Multi-sig and Taproot script paths will need migration plans too. Complex scripts with revealed spend paths have the same exposure problem as single-key addresses. Custody services should start auditing which of their cold storage constructions survive a post-quantum world and which will require forced migration during a Phase A deadline.
  3. Infrastructure providers will carry the operational load. When BIP-360 activates, wallets, exchanges, and RPC providers will spend two years doing unglamorous plumbing work: supporting new address formats, handling hybrid signature verification, and helping users migrate UTXOs without losing funds to fee spikes or bugs. The quality of that infrastructure will determine whether migration is smooth or chaotic.

The quantum clock is not ticking at the speed of headlines. It is ticking at the speed of standards committees, testnet rollouts, and BIP activations — which is precisely why April 2026 matters. The first BIP is live on testnet. The second is drafted. The community is arguing. That is exactly what a functional migration looks like at year zero.

The alternative — waiting until a 500,000-qubit machine actually exists — is the option that does not work.

BlockEden.xyz provides enterprise-grade node and API infrastructure for Bitcoin, Ethereum, Solana, and 20+ chains facing post-quantum migration decisions. Explore our API marketplace to build on infrastructure designed to evolve with the cryptographic frontier.

Sources

Share on Twitter