If Bitcoin ever has to swap out its signature system for post-quantum cryptography (PQC), the hard part is bound to be about people, and certainly not about the topic that people usually assume is the more complicated one, cryptographic math. The chain can accept new rules, but it cannot notify everyone holding coins in a safe, a forgotten hardware wallet, or a backup phrase taped under a desk.
The broader security world is already moving forward; NIST has started to finalize post-quantum standards while intelligence agencies publish transition targets for the mid-2030s. The operational implication is that:
Migrations take years
As convenient as denial may be, it does not confer protection.
So if a quantum-safe upgrade for Bitcoin requires every holder to act by a specific deadline, what happens to the capital of the people who do not get the memo? Do we shrug and let their coins become an ill-gotten prize for whoever gets quantum capability first, or do we change the protocol so that going offline does not quietly become a guarantee of future forfeiture?
If we answer "yes" to the first-come-first-steal proposal, Satoshi's stash of coins, worth an estimated $100 billion, could one day be stolen and then dumped on the market, destroying everyone else's value.
If we answer "yes" to the other proposal, it'd be necessary to engineer a brand new governance infrastructure, which would go against some of the coin's founding ideals, and require a lot of work.
The truth is that as of now, nobody has a strong answer to any of these questions. Let's probe this topic a bit further to at least create a few boundaries that those future answers will need to have to keep the chain in good health over the long run
There's no upgrade police
Before getting concrete, let's name what a serious migration to post-quantum security must accomplish for Bitcoin. Any migration must:
Give attentive holders a clear path to move funds safely, and a very long runway to do so
Reduce the window where exposed public keys can be exploited by attackers
Avoid rules that require judging who "deserves" protection or to retain their capital
Provide a non-catastrophic failure mode for late returners, if possible
Keep implementation simple enough for wallets and exchanges to ship relatively secure solutions
The uncomfortable reality is that those targets all pull against each other; any plan that assumes perfect user behavior fails by default because Bitcoin has no help desk and no registry of owners. Similarly, any plan that assumes zero adversarial or impedimentary user behavior also fails by default, as users may have imperfect information or external incentives.
With those constraints in hand, we can now transition into exploring the coordination reality that makes this problem more social than cryptographic.
Bitcoin changes only when enough participants voluntarily converge on new software. The canonical description is the BIP process, and it exists because node operators, including miners, exchanges, and wallets, can each refuse the imposition of new rules.
Taproot is a clean example;
Bitcoin Core 0.21.1 introduced Taproot and Schnorr signatures, but activation still depended on broad ecosystem alignment, and those activation mechanics are not trivial. If different parts of the ecosystem enforce different rules at different times, you can get avoidable instability, which would make everyone look bad. |
Soft fork activation is treated as a coordination risk, because the activation method becomes part of the social contract people believe they are signing. So when people talk about a quantum migration as if it is a simple "upgrade your wallet" campaign, they are importing an assumption Bitcoin does not grant, which is universal compliance.
With that set, we can now be more precise about what quantum risk actually targets.
The quantum threat is key theft
A sufficiently sophisticated quantum computer threatens classical public-key cryptography because it can violate discrete log assumptions.
Shor's 1994 algorithm is the canonical result that makes discrete logarithms tractable on a sufficiently capable quantum machine. Note that based on the publicly-available information, which isn't comprehensive, such a machine does not yet exist, and probably won't exist for five years at the earliest, despite recent breakthroughs.
Bitcoin transaction authorization currently uses ECDSA over secp256k1. The nightmare scenario is forgery, wherein an adversary derives a private key from public information. Exposure to this risk is uneven, because public keys are not always visible until you spend; older pay-to-pubkey outputs embed the public key directly, and with P2PK the public key is already on-chain.
Again, user behavior is a key element here; early-era outputs included P2PK locking scripts, and address reuse can expose public keys long after the early days. Quantum attacks thus theoretically enable stealing coins via signature breaks, and not a magical erasure of proof-of-work, despite what some people may be hyperbolically claiming.
Of course, that still leaves the core migration headache. How do you move funds safely when the act of moving can reveal data an attacker needs? There's at least one proposal for a slow commit–delay–reveal protocol intended to let users migrate even under a fast quantum adversary. If you hold an appreciable quantity of coins, however, the best move is still to migrate as soon as possible.
Offline users turn migration into a property rights trap
On the surface, an opt-in migration sounds clean, and totally reasonable.
The chain adds a post-quantum address type and tells everyone to move.
Everyone moves, except for those whose coins were effectively already lost due to being inaccessible before the migration.
In practice, the process of needing to opt-in plus having a deadline creates a cliff. Anyone who does not act becomes a forced donor to either quantum thieves or the protocol's rules for the leftovers.
Thus there are two distinct "loss" events.
One is theft.
The other is protocol-level abandonment, where a rule change makes certain old outputs unspendable, effectively burning coins that might still belong to living people.
The offline problem is more than hypothetical once you realize the scale of the coin's dormant supply. Chainalysis estimates between 2.3 and 3.7 million Bitcoin are permanently lost. Those coins will not migrate, no matter how well the ecosystem coordinates. Given that there can only be 21 million Bitcoin, a substantial portion of the supply is going to be left behind pretty much no matter what happens.
Unless, that is, if quantum theft becomes feasible, in which case the lost coins become a redistribution event toward whoever owns quantum hardware first. If the protocol burns vulnerable outputs to prevent that redistribution, it also burns any legitimate late returner who comes back after the cutoff. There is no reliable way to separate "lost" from "lazy" inside these consensus rules.
Trying to solve this problem with exceptions is where governance gets radioactive very quickly. The moment consensus encodes special cases for specific addresses or categories of holders, it invites politics into the base layer, and it might sour the incentives of previously-aligned actors more or less immediately. Furthermore, proposed policies like routing any burned coins back to miners to bolster their security budgets, while somewhat appealing, might also introduce perverse incentives for some of the stakeholders in the deliberative process.
To keep the tradeoffs visible, here is a compact table of migration designs and who eats the downside.
Migration design choice | Core idea | Biggest upside | Biggest downside |
|---|---|---|---|
Long grace period, voluntary migration | Add PQ outputs and give years to move | Least disruptive for active users | Offline holders face eventual theft or abandonment |
Commit-delay-reveal migration | Separate commitment from reveal to reduce hijacking | Helps users migrate under attack pressure | Adds complexity and new wallet flows |
Neutral burn of vulnerable holdings | Make certain old outputs unspendable | Prevents quantum harvesting of old coins | Late returners lose coins permanently |
Freeze with very long timelock | Restrict vulnerable spends for decades | Slows thieves and buys time | Turns money into a time-locked asset |
No consensus change, social tooling | Wallet tools and education only | Avoids protocol precedent | Leaves theft risk for the inattentive and the lost |
As you can see, Bitcoin has a narrow gap through which to thread its needle here.
A workable posture is to reduce theft and accept residue risk
No migration scheme saves every coin without changing what Bitcoin is. The best you can do is shrink the attack surface, give people plenty of time to adapt to the incoming reality, and avoid building protocol machinery that tries to determine rightful ownership, as it'd have a high chance of destroying everything.
Here's a shot at a realistic plan, which has three layers.
First, add post-quantum signing support and a standardized output type, choosing conservative primitives that have survived broad scrutiny.
Second, add a commit-delay-reveal style migration path so migration itself does not become a front-running festival.
Third, avoid calendar-based burning as the default. Instead, align enforcement with exposure. Outputs that already revealed public keys and patterns like address reuse should face stronger nudges sooner than outputs whose public keys stay hidden until spend.
But even with careful design, Bitcoin's migration guarantees some residue risk. Some coins will not move. We won't be able to make accurate judgments about why that is. If quantum computers become practical, some dormant supply becomes newly mobile, and markets will reprice that reality fast. They might even already be starting to price in quantum risk today.
So here are the failure modes investors should actually watch:
Decentralization cannot compel attention, cannot locate owners, and cannot rescue everyone who ignored upgrades for years. It can, however, fail spectacularly if thorny coordination problems aren't addressed.
Therefore, if you own Bitcoin as an investment, you need to treat quantum migration as a tail risk with a fat governance component. The cryptography can be swapped. The question is whether the ecosystem can coordinate the swap without turning property rights into a political battlefield that nobody walks away from.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
