Quantum-Resistant Bitcoin: A Plain-English Guide to the Migration Debate and What Holders Should Do

This week, Bitcoin core developers published a migration proposal that would, among other things, freeze legacy coins with exposed public keys — including the roughly 1.1 million BTC believed to belong to Satoshi Nakamoto. Adam Back, the Blockstream CEO who is also the inventor of Hashcash, pushed back publicly and argued for optional upgrades. Cardano founder Charles Hoskinson said the proposal cannot save Satoshi's coins from a quantum attacker regardless.

The debate is important, but it has been reported in technical language that can be hard to follow. This guide strips it down. We explain what the quantum threat actually is, which Bitcoin is vulnerable and which is not, what the migration proposal does, why it is controversial, and what individual holders should be doing right now.

The threat in one paragraph

Bitcoin secures coins with a pair of keys: a private key that you control, and a public key that a quantum computer could theoretically derive the private key from, given enough qubits and enough time. The algorithm that does this is called Shor's algorithm. No current quantum computer is close to running Shor's algorithm against Bitcoin's signature scheme — estimates put the hardware threshold at several million stable logical qubits, compared to the few thousand error-prone qubits that the most advanced machines have today. The threat is real but not imminent. The preparation window is measured in years, not months.

What is actually at risk — and what is not

Not all Bitcoin is equally exposed. Understanding the distinction is the single most useful thing a holder can do.

Bitcoin addresses come in several types. The key question is whether your address has ever had its public key revealed on-chain.

• - **Pay-to-Public-Key (P2PK)** addresses expose the full public key directly on-chain, by design. Roughly 1.9 million BTC sits in these addresses, and much of it is believed to be Satoshi's. These coins are the most exposed in a quantum scenario.
• - **Pay-to-Public-Key-Hash (P2PKH), P2SH, and native SegWit (bech32) addresses** only reveal the public key when you spend from them. Until a coin is spent, only the hash of the public key is visible on-chain. A quantum attacker would have to break the hash first, which is a much harder problem.
• - **Reused addresses** — any time you have spent from an address and then received more coins back to the same address — are functionally in the same category as P2PK, because your public key is now sitting visibly in the blockchain's transaction history.

Coverage from [Bitcoin Magazine](https://bitcoinmagazine.com/news/bitcoin-developers-propose-quantum-plan) notes that the proposal's most controversial element is what it would do about this first category of coins.

The migration proposal in plain language

The proposal, as summarised in [Bitcoin Magazine](https://bitcoinmagazine.com/news/bitcoin-developers-propose-quantum-plan), would do three things:

• 1. **Introduce post-quantum signature types.** New address formats using lattice-based or hash-based signature schemes (the NIST-finalised post-quantum candidates) would become spendable alongside the existing ECDSA and Schnorr schemes.
• 2. **Give holders a migration window.** During this window, coins sitting in quantum-vulnerable address types could be moved to post-quantum address types without friction.
• 3. **Freeze coins that do not migrate.** At the end of the migration window, coins still sitting in quantum-vulnerable addresses with exposed public keys would be rendered unspendable by consensus rule.

Point three is where the argument starts.

The rationale from proposal supporters is that leaving those coins spendable means that, once a quantum computer arrives, an attacker could drain them — effectively transferring a significant supply slice to whoever cracks the signatures first. Freezing them, in this view, protects Bitcoin's monetary integrity.

The counter-argument, articulated by [Adam Back](https://decrypt.co/search?q=Adam%20Back) and summarised in [Decrypt](https://decrypt.co/search?q=quantum%20bitcoin), is that freezing coins by consensus sets a dangerous precedent. Bitcoin's value proposition includes the principle that no one can touch your coins without your private key. If the community can vote to freeze a subset of coins, it opens the door to future freezes for other reasons. Back's preferred approach is optional upgrades — make the post-quantum address types available, let holders migrate at their own pace, and accept that non-migrators may lose coins to a future quantum attacker.

Cardano's Charles Hoskinson added a third angle in coverage from [Decrypt](https://decrypt.co/2026/04/16/quantum-proposal-wont-save-satoshis-bitcoin-says-cardano-founder-hoskinson): he argued that by the time quantum hardware is capable of breaking Bitcoin, Satoshi's coins — with their pristinely exposed public keys — would already be drainable regardless of whether they are "frozen" by consensus, because a well-funded attacker could simply ignore the Bitcoin consensus rule and construct a chain that spends them.

That last point is technically nuanced (it assumes the attacker has enough hashrate to rewrite history, which is a separate problem), but it illustrates why the debate has not resolved.

The post-quantum signature candidates

The NIST post-quantum cryptography process has already selected several signature schemes that could replace ECDSA. The shortlist includes:

• - **CRYSTALS-Dilithium**, a lattice-based scheme. Strong security assumptions, moderate signature size.
• - **FALCON**, another lattice-based scheme. Smaller signatures than Dilithium, more complex implementation.
• - **SPHINCS+**, a hash-based scheme. Very conservative security assumptions, but with larger signatures.

Whichever candidates are ultimately chosen for Bitcoin, signature size will matter. Bitcoin's block-space is scarce, and larger signatures mean fewer transactions per block unless accompanying changes are made. Any migration will involve trade-offs between security margin, signature size, and verification speed.

Timeline — how urgent is this?

The honest answer: urgent enough to start preparing, not urgent enough to panic.

Most credible estimates place cryptographically-relevant quantum computers (CRQCs) — machines capable of breaking Bitcoin's signatures — somewhere between 10 and 25 years away. That is a wide range because quantum hardware progress is non-linear and a single breakthrough could compress the timeline.

The prudent framing is this: if CRQCs arrive in 15 years, Bitcoin has time to migrate cleanly. If they arrive in 7 years, Bitcoin has time but the migration will be stressful. If they arrive in 3 years, the migration will be chaotic. The proposal under discussion exists to move the Bitcoin ecosystem toward being ready for the chaotic scenario even though the smooth-migration scenario is more likely.

A practical checklist for holders right now

Regardless of how the migration debate resolves, there are steps every holder should take immediately. None of them require the proposal to pass.

• 1. **Stop reusing addresses.** Every time you receive Bitcoin, use a fresh address. This is standard practice in 2026 and most modern wallets do it automatically, but double-check. Address reuse is the single biggest self-inflicted quantum-exposure risk.
• 2. **Move coins off legacy P2PK addresses.** If you still hold coins in Pay-to-Public-Key addresses (rare but possible if you bought very early), move them to a bech32 native SegWit or Taproot address. This does not make them quantum-safe, but it removes the public key from on-chain visibility until the next spend.
• 3. **Use hardware wallets that are receiving post-quantum firmware updates.** The major hardware-wallet vendors have publicly committed to supporting post-quantum signature schemes when they ship. Prefer vendors who are public about their roadmap.
• 4. **Do not act on the proposal yet.** Nothing has been activated. The debate is ongoing. Hasty moves based on unconfirmed rules create more risk than they solve.
• 5. **Back up seed phrases with quantum in mind.** A stored seed phrase is as strong as the signature scheme that derives from it. If Bitcoin migrates, most wallets will allow you to derive new post-quantum keys from the same seed. Make sure your seed backup is durable.
• 6. **Stay current.** Subscribe to Bitcoin Optech, read BIP drafts as they are published, and follow discussions from well-known developers. The migration plan, if it moves forward, will not happen overnight — but when it does, accurate information will matter.

FAQ

Is my Bitcoin at risk from quantum computers right now?

No. Today's quantum computers are nowhere near capable of running Shor's algorithm at the scale needed to break Bitcoin signatures. The estimates are 10–25 years out. The risk is real but not near-term.

If I hold Bitcoin on an exchange, am I covered?

You are covered to the extent that the exchange migrates. Exchanges will follow the network rules. Holding Bitcoin in self-custody gives you direct control over the migration timing; holding on an exchange delegates it.

Would the freeze proposal really be activated?

It is a proposal, not a decision. Any consensus-rule change requires broad agreement from miners, nodes, and economic actors. The current debate — with Adam Back, Hoskinson, and others weighing in — is exactly the kind of public scrutiny that proposals face before activation. Activation is not imminent.

What is the difference between my address and my public key?

Your address is typically a hash of your public key (for P2PKH, P2SH, and bech32 addresses). The public key itself is only revealed when you spend from the address. This is why not spending — or spending only from fresh addresses — limits on-chain exposure.

Will my seed phrase still work after a migration?

Almost certainly yes. Most modern wallets derive both your current keys and any future post-quantum keys from the same BIP-39 seed phrase. You will likely just see new address types appear in the wallet.

What about multisig setups?

Multisig is a scripting layer on top of signatures. As long as each signer's underlying signature scheme is migrated to a post-quantum version, multisig itself is unaffected.

Conclusion

The quantum threat to Bitcoin is real, but the timeline is long and the mitigation path is clear. The proposal under debate this week is aggressive, and its freeze element is genuinely controversial — Adam Back's concern about consensus-layer freezes setting a precedent is not unreasonable. What is not in dispute is that Bitcoin will eventually need post-quantum signature schemes, and that holders who prepare early will have a calmer migration than those who do not. The actions that matter most for individuals — stop reusing addresses, move coins off P2PK, use wallets on a credible post-quantum roadmap, and stay informed — do not require the proposal to pass. They are good practice regardless.

This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency prices are volatile and you should do your own research before making any investment decisions.