A researcher broke a 15-bit elliptic curve key on a real quantum computer in April 2026, winning Project Eleven's Q-Day Prize and 1 BTC for the largest public demonstration of the attack class that protects every Bitcoin wallet. The key was tiny, 256-bit ECDSA is not remotely close to falling, but the direction is clear. Roughly 6.9 million BTC sit in addresses with exposed public keys, including Satoshi's estimated 1 million coins, and every advance in quantum hardware shrinks the gap between "theoretical threat" and "practical timeline."
Bitcoin developers have been watching this trajectory for years. BIP-360, published on February 11, 2026, and merged into Bitcoin's official BIP repository, is their answer. It proposes a new output type called Pay-to-Merkle-Root (P2MR) that works almost exactly like Taproot (P2TR) but removes the one piece that quantum computers could eventually exploit. BTQ Technologies deployed the first working implementation on Bitcoin Quantum testnet v0.3.0 in March 2026.
Why Taproot Has a Quantum Problem
To understand what BIP-360 fixes, you need to understand what Taproot exposes.
When Bitcoin activated the Taproot upgrade in November 2021, it introduced P2TR (Pay-to-Taproot) outputs with two spending paths. The first is the keypath spend, where a single public key sits directly on the blockchain and the owner proves they hold the matching private key. The second is the scriptpath spend, where spending conditions are hidden inside a Merkle tree of scripts, and only the branch being used gets revealed at spend time.
The keypath is fast, cheap, and private for normal use. But it puts the public key on-chain in plaintext. Today that is perfectly safe because no computer can reverse ECDSA from public key to private key. A sufficiently powerful quantum computer running Shor's algorithm could do exactly that. Google's April 2026 whitepaper estimated a full 256-bit ECC attack would require fewer than 500,000 physical qubits, down from earlier projections in the millions. A separate Caltech and Oratomic paper brought the estimate as low as 10,000 qubits in a neutral-atom architecture.
Neither machine exists yet. But the estimates keep dropping, and the addresses with exposed keys are not going anywhere. Every P2TR keypath spend, every legacy Pay-to-Public-Key (P2PK) output from Bitcoin's early years, and every address that has ever sent a transaction (revealing the public key in the process) sits in a growing pool of quantum-vulnerable coins.
How P2MR Removes the Vulnerability
BIP-360's fix is elegant because it changes almost nothing about how Bitcoin scripting works.
P2TR outputs commit to a tweaked public key that encodes both the keypath and the Merkle root of the script tree. P2MR drops the keypath entirely. Instead of tweaking a public key, P2MR commits directly to the Merkle root of the script tree. No public key appears on-chain at any point until a script branch is executed, and even then, the key is only exposed inside the specific branch being spent.
Think of it like this. Taproot is a locked safe where one key hangs on a hook outside the door (convenient, but visible) and backup keys are sealed inside numbered envelopes in a vault. P2MR removes the hook entirely. Every key lives inside the vault, and you only reveal the one you need when you open a specific envelope.
The technical implementation uses SegWit version 2, which gives P2MR its own address prefix. Mainnet P2MR addresses start with bc1z, following the bech32m encoding standard where version 2 maps to the letter z. P2TR addresses start with bc1p (version 1), and legacy SegWit addresses start with bc1q (version 0). The new prefix makes P2MR addresses immediately identifiable.
What the Testnet Implementation Includes
BTQ Technologies released Bitcoin Quantum testnet v0.3.0 in March 2026 with a full working implementation of BIP-360. This is not a whiteboard concept anymore. People are creating and spending P2MR transactions on a live test network.
The testnet includes five Dilithium post-quantum signature opcodes enabled in P2MR tapscript context. Dilithium (now standardized by NIST as ML-DSA) is a lattice-based signature scheme that quantum computers cannot break using known algorithms. Where Bitcoin currently relies on ECDSA and Schnorr signatures, both vulnerable to Shor's algorithm, Dilithium signatures resist quantum attack because they are built on mathematical problems (module lattice problems) that remain hard even for quantum hardware.
The implementation also includes full P2MR consensus validation, Merkle root commitment verification, control block validation, and end-to-end CLI wallet tooling for creating and spending quantum-resistant transactions. Developers can test the entire flow today.
One important design choice in BIP-360 is backward compatibility. P2MR leverages the existing P2TR tapleaf and tapscript code already in Bitcoin Core, which means wallets, exchanges, and libraries that support Taproot can reuse much of their code to add P2MR support. That significantly lowers the barrier to adoption if the proposal eventually activates on mainnet.
What 6.9 Million Vulnerable BTC Actually Means
The number sounds alarming, and it should get your attention, but the context matters.
Project Eleven estimates that approximately 6.9 million BTC, roughly one-third of total supply, sit in addresses where the public key is already visible on-chain. This includes every P2PK output from Bitcoin's first two years (including Satoshi's coins), every address that has sent a transaction at least once (the public key gets revealed in the spending signature), and every P2TR keypath spend.
If a quantum computer powerful enough to run Shor's algorithm against 256-bit ECC ever comes online, those coins could theoretically be stolen. The attacker would derive private keys from the exposed public keys and sweep the funds.
But "theoretically" is doing heavy lifting in that sentence. The April 2026 Q-Day Prize winner broke a 15-bit key. Bitcoin uses 256-bit keys. That gap represents an astronomical difference in computational difficulty, not a linear one. The 15-bit result extends the previous record by a factor of 512, which is meaningful progress for the research community, but the jump from 15 bits to 256 bits requires advances in qubit count, error correction, and coherence time that no existing roadmap places within the next several years.
The honest framing is this. The threat is real, the timeline is uncertain, and Bitcoin has a window to prepare. BIP-360 is the preparation.
What BIP-360 Does Not Do
BIP-360 is a proposal, not a protocol change. Several things need to happen before it affects your Bitcoin.
It has not activated on mainnet. The testnet implementation proves the concept works, but activation on Bitcoin's main network would require community consensus through the soft fork process. Historically, Bitcoin soft forks take years from proposal to activation. SegWit took roughly four years. Taproot took about three from initial discussion to lock-in.
It does not protect existing addresses automatically. If BIP-360 activates, users would need to move their coins into new P2MR (bc1z) addresses to gain quantum resistance. Coins sitting in old address types remain vulnerable until they are moved. This is a voluntary migration, not an automatic upgrade, and users who are comfortable with their current address type can simply leave their coins where they are.
It does not make Bitcoin "quantum-proof" in the absolute sense. BIP-360 protects against Shor's algorithm attacking elliptic curve keys. If entirely new quantum attack vectors emerge against hash functions or lattice-based cryptography in the future, additional upgrades would be needed. The proposal addresses the most well-understood and immediate quantum threat, not every conceivable one.
It also does not affect Bitcoin's proof-of-work mining. Bitcoin mining uses SHA-256 hash functions, which are resistant to Shor's algorithm. Quantum computers could gain a modest advantage using Grover's algorithm, but that would at most halve the effective hash security, still leaving it at 128-bit equivalent strength, which is more than sufficient.
The Timeline That Matters for Traders
If you hold BTC and are wondering what to actually do with this information, the answer right now is nothing different. But the timeline is worth tracking.
|
Milestone
|
Status
|
What It Means
|
|
BIP-360 published and merged
|
Done (Feb 2026)
|
Proposal is official and peer-reviewed
|
|
First testnet implementation
|
Done (Mar 2026)
|
Code works, developers can test
|
|
Q-Day Prize (15-bit ECC broken)
|
Done (Apr 2026)
|
Quantum threat is advancing, not theoretical
|
|
Mainnet soft fork activation
|
Not started
|
Requires community consensus, likely years away
|
|
Wallet and exchange P2MR support
|
Not started
|
Infrastructure must adopt bc1z addresses
|
|
User migration to bc1z addresses
|
Not applicable yet
|
Coins must be moved manually when available
|
The pattern here mirrors every major Bitcoin upgrade. The technical work runs years ahead of activation. Taproot was proposed in 2018 and activated in 2021. BIP-360 is in the early proposal stage, and even optimistic timelines suggest mainnet activation is several years out.
For traders, the relevant signal is not BIP-360 itself but the pace of quantum computing headlines. Every new record, every qubit milestone from IBM or Google or Caltech, and every revised timeline for "cryptographically relevant quantum computers" will move markets. The Giancarlo Lelli Q-Day Prize result already triggered a wave of coverage and briefly pressured BTC price before the market absorbed the context.
Frequently Asked Questions
Is Bitcoin safe from quantum computers right now?
Yes. The largest public quantum attack on elliptic curve cryptography cracked a 15-bit key in April 2026. Bitcoin uses 256-bit keys, and the computational gap between those two numbers is not something current quantum hardware can bridge. Most researchers estimate cryptographically relevant quantum computers are still years to a decade or more away.
What is a bc1z address?
It is the address format proposed by BIP-360 for Pay-to-Merkle-Root (P2MR) outputs. The bc1z prefix identifies SegWit version 2 under the bech32m encoding standard, similar to how bc1p identifies Taproot (version 1) and bc1q identifies native SegWit (version 0). These addresses would hide public keys entirely from on-chain exposure.
Do I need to move my Bitcoin to a quantum-resistant address now?
No. BIP-360 has not activated on Bitcoin's mainnet, so P2MR addresses do not exist in production yet. When and if activation happens, you would need to send your coins to a new bc1z address to gain quantum protection. Until then, standard best practices apply. Use addresses that have not had their public keys exposed by prior transactions when possible.
What happens to Satoshi's Bitcoin if quantum computers advance?
Satoshi's estimated 1 million BTC are stored in early Pay-to-Public-Key (P2PK) outputs where the public key is permanently visible on-chain. If a quantum computer ever becomes powerful enough to break 256-bit ECDSA, those coins could be taken by anyone with access to such a machine. BIP-360 cannot protect them because no one can move them to a new address type. This is one of the most debated edge cases in Bitcoin's long-term security discussion.
Bottom Line
BIP-360 is not an emergency patch. It is the Bitcoin developer community building a fire escape before anyone smells smoke. The quantum threat to Bitcoin's elliptic curve cryptography is real but not imminent, and the timeline keeps compressing as qubit counts climb and error rates drop. P2MR gives Bitcoin a migration path that preserves Taproot's scripting power while eliminating the keypath vulnerability that puts 6.9 million BTC at theoretical risk.
The practical question for the next two to three years is not "should I worry about quantum computers" but "how fast is the quantum computing timeline accelerating." Each new milestone, from the 15-bit Q-Day Prize to Google's sub-500,000-qubit projections, resets the urgency calculation. When BIP-360 eventually moves toward mainnet activation, the wallets and exchanges that prepared early will have a competitive advantage. The ones that waited will be scrambling. That gap between prepared and unprepared is where the trading opportunity eventually lives.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
