← stackerzero.com/briefings/2026-04-15-bip360-plain-english

2026-04-15

WTF Is BIP 360? The Quantum-Resistant Bitcoin Upgrade Explained in Plain English

Wall Street just said Bitcoin has a 3-5 year quantum window. Here's what BIP 360 actually does, why migration has to happen before Q-Day — not after — and what you need to do right now.

WTF Is BIP 360?

Wall Street noticed yesterday.

Bernstein — the research firm, not the composer — put out a note saying Bitcoin faces a "real but manageable" quantum threat with a 3-5 year planning window. That's not crypto Twitter. That's a research desk that advises institutional money.

So let me explain what BIP 360 is, why it matters, and why the timing of the upgrade is the most important part that nobody's talking about.

First: Why Does Bitcoin Have a Quantum Problem?

When Satoshi built Bitcoin in 2008, he used ECDSA — Elliptic Curve Digital Signature Algorithm. It was the best option available. Fast, compact, battle-tested in TLS and SSL. Smart choice for the time.

ECDSA security rests on one assumption: that you can't reverse-engineer a private key from a public key. Mathematically, this is called the Elliptic Curve Discrete Logarithm Problem. Classical computers can't crack it in any reasonable timeframe. We're talking longer than the age of the universe.

A quantum computer running Shor's Algorithm can.

Not today — current quantum hardware is nowhere close. But the trajectory has gotten steep enough that a Nobel Prize-winning physicist who helped build Google's quantum hardware said this month that Bitcoin could be "among the earliest real-world targets" once threshold is crossed.

That's not FUD. That's someone who builds these machines telling us to pay attention.

What BIP 360 Does

BIP 360 introduces a new Bitcoin output type called P2MR: Pay-to-Merkle-Root.

Here's what that means in plain English:

Instead of locking coins to an elliptic curve public key (quantum-vulnerable), you lock them to the root of a Merkle tree that commits to one or more post-quantum public keys.

The post-quantum signature scheme BIP 360 uses is called CRYSTALS-Dilithium. NIST — the US government standards body — spent 6 years reviewing it and standardized it in 2024. It's based on lattice problems, which quantum computers don't know how to efficiently solve. Yet.

Five new opcodes are added to Bitcoin Script to enable Dilithium signatures in the tapscript context.

Key-path spending — the quantum-vulnerable shortcut in Taproot — is removed entirely. Every spend must go through the script path, which can be made quantum-resistant.

The Merkle tree structure gives flexibility: you can commit to multiple keys, mix quantum-resistant and classical keys during a transition period, and build complex spending conditions without bloating the base chain any more than necessary.

This Is Running Code Now

BTQ Technologies shipped Bitcoin Quantum testnet v0.3.0 on March 20th.

Not a whitepaper. Not a draft. Running code, on a live testnet, with:

  • 50+ miners
  • 100,000+ blocks mined
  • 100+ open-source contributors
  • Full CLI wallet tooling for quantum-resistant transactions

You can run a node against it right now at btq.com. I'm planning to spin one up on my Pi 4 and document the experience — watch this space.

The BIP 360 PR is also open in the official bitcoin/bips repository for community review and discussion.

The Part Nobody Talks About: The Race Condition

Here's the thing most explainers miss. And it's the most important part.

People ask: "Why can't we just upgrade after quantum computers get powerful enough? We'll know when it's coming."

Here's why that logic is wrong.

When you spend Bitcoin, your transaction broadcasts to the mempool before it confirms. In that window — however brief — your public key is exposed. Everyone can see it.

Right now that doesn't matter because no classical computer can derive your private key from your public key in time.

But a quantum computer can.

If Q-Day arrives and you haven't migrated your coins to a quantum-resistant output, here's the attack:

  1. You broadcast a spend transaction
  2. Attacker sees your public key in the mempool
  3. Attacker runs Shor's Algorithm, derives your private key in minutes/seconds
  4. Attacker broadcasts a competing transaction with higher fees
  5. Miners include the attacker's transaction first
  6. Your coins are gone

You don't get to react. By the time you know Q-Day has arrived, the race condition has already run against you.

This is why migration must happen before Q-Day. Not during. Not after. Before.

The Migration Challenge

There are roughly 4 million Bitcoin in old-format outputs that would need to move to quantum-resistant addresses to be protected. This includes:

  • Old P2PK outputs (bare public keys — early mining era, Satoshi's coins)
  • Any address that has ever spent from it and exposed its public key
  • Reused addresses of any type

The migration requires spending from the old address (momentarily exposing the public key) and sending to a new P2MR quantum-resistant address. That's the window of vulnerability during migration itself — which is another reason it needs to happen before capable quantum hardware exists, not while someone's waiting in the mempool with an attack ready.

The Trade-Offs Are Real

BIP 360 is not a free lunch. The community is actively debating these:

Signature size: Dilithium signatures are ~2.4KB versus 64 bytes for Schnorr. That's a 37x bloat per transaction. Fee implications are real. Block space pressure during a mass migration event could be severe.

FALCON as alternative: FALCON is another NIST-standardized post-quantum candidate with smaller signatures. Some contributors want it included in BIP 360 as an option. The debate is ongoing.

Consensus path: Bitcoin doesn't have a foundation, a CEO, or a governance committee. This upgrade has to achieve rough consensus among miners, node operators, developers, and users. That's slow. That's also the feature.

What You Should Do Right Now

You don't need to wait for BIP 360 to ship to reduce your risk today:

1. Never reuse addresses. When you expose your public key in a spend, the quantum clock starts on that key. Fresh address every time = no exposed pubkey.

2. Use bech32 addresses (bc1q...). Native SegWit. Proper address hygiene. Never use bare pubkey (P2PK) outputs.

3. Don't leave coins in old-format outputs. If you have Bitcoin sitting in an address that has spent before, the public key is already exposed. Move it to a fresh bech32 address.

4. Consider Silent Payments (BIP 352) for public-facing donation addresses. One static payment code, unique addresses per sender, no address reuse.

5. Learn what's coming. BIP 360 is real, running, and being tested. The community is engaged. The window exists. Use it.

The Bottom Line

Bernstein said 3-5 years. A Nobel physicist said Bitcoin is an early target. And there's working testnet code for the fix right now.

The upgrade path exists. The question is whether Bitcoin's community can move fast enough — and whether enough people understand what's at stake to demand that it does.

That's why I'm writing this. That's why StackerZero exists.

Stay sovereign. Verify everything. Migrate before the race condition runs.

Jon Rich, StackerZero

Sources: Bernstein Research note (April 14, 2026) · CoinDesk interview with Google quantum physicist (April 7, 2026) · Nature (independent cryptographic security analyses) · BTQ Technologies BIP 360 testnet v0.3.0 · bitcoin/bips GitHub repository

Comments

💬 Comments coming soon

We're setting up community comments via GitHub Discussions. Check back shortly.

← All briefings