A draft Bitcoin Improvement Proposal authored by Casa co-founder Jameson Lopp and five collaborators sets out the most forceful roadmap yet for hardening the network against quantum computing. Titled “Post-Quantum Migration and Legacy Signature Sunset,” the proposal was published on GitHub on 14 July and calls for a phased retirement of all outputs protected by today’s ECDSA and Schnorr signatures. The authors frame the move as a necessary pre-emptive strike: “It turns quantum security into a private incentive — fail to upgrade and you will certainly lose access to your funds.” Plan To Secure Bitcoin From Quantum Threat Because every public key that appears on-chain can, in principle, have its corresponding private key recovered by a sufficiently powerful quantum computer, the proposal warns that “roughly 25 % of all bitcoin have revealed a public key on-chain; those UTXOs could be stolen with sufficient quantum power.” That slice includes many early P2PK outputs, among them the roughly one million BTC widely believed to be controlled by Bitcoin’s creator, Satoshi Nakamoto . The authors note that NIST finalised three production-grade post-quantum signature algorithms in 2024 and that academic roadmaps now place a “cryptographically-relevant” quantum computer as early as 2027-2030. At the same time, quantum factoring algorithms “are improving up to 20×,” rapidly shrinking Bitcoin’s safety margin.To neutralise the threat, the draft prescribes a soft-fork sequence tied to the already-proposed P2QRH post-quantum output type (defined in BIP-360): Phase A begins three years after P2QRH goes live and “disallows sending of any funds to quantum-vulnerable addresses,” forcing new coins toward quantum-safe scripts. Phase B follows two years later, on a pre-announced flag day, when “nodes reject transactions that rely on ECDSA/Schnorr keys,” rendering legacy outputs unspendable. Phase C is optional and, pending further research, could enable owners who missed the deadline to recover funds with a zero-knowledge proof of possession of their BIP-39 seed. The document’s rationale is explicit: “A successful quantum attack on Bitcoin would result in significant economic disruption and damage across the entire ecosystem.” By imposing a known deadline, the authors hope to overcome what they describe as “upgrade inertia” among wallets, exchanges and custodians that historically stretches protocol roll-outs over many years. Each stakeholder cohort is offered a blunt calculus. Miners risk producing “invalid blocks” after Phase B if they do not upgrade, but in the interim can expect heavier blocks and higher fees from the larger post-quantum signatures. Institutional holders face potential fiduciary liability should they ignore the migration timetable, while exchanges confront the prospect of overnight insolvency if quantum attackers drain custodial hot wallets. For individual users, the sunset date converts an abstract, far-off threat into a hard deadline. A notable corollary is that coins abandoned in quantum-vulnerable scripts would become permanently frozen, echoing Satoshi’s early observation that “lost coins only make everyone else’s coins worth slightly more.” The proposal inverts that logic for quantum-recovered coins, calling them “a theft from everyone.” The BIP remains a draft and has yet to receive a number or taproot-style activation path, but it is already shaping what is likely to become a contentious debate over backward compatibility and the treatment of dormant balances. If adopted, the migration would dwarf SegWit and Taproot in both logistical complexity and monetary stakes, directly affecting an estimated quarter of the 19.7 million BTC in existence. For now, the authors have thrown down a clear gauntlet: either the ecosystem coordinates on a proactive timeline, or it faces the prospect of responding to an emergency only after the first quantum theft has occurred. At press time, BTC traded at $118,623.
